[PATCH] BSS: Fix use-after-realloc
Mon Mar 5 06:22:27 PST 2012
On Mon, Mar 05, 2012 at 12:30:15PM +0200, Eliad Peller wrote:
> After reallocation of the bss struct, current_bss
> wasn't updated and could hold an invalid pointer
> (which might get dereferenced later).
> Update current_bss if the pointer was changed.
Thanks for catching this!
> realloc is pretty dangerous if a reference could be
> saved somewhere. i suspect there might be similar issues
> in the codebase, but i haven't looked at it throughtly.
realloc is not the only reason for that.. Similar cases apply for
configuration re-read, but I would hope that those are all covered with
> diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
> @@ -333,6 +333,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
> res->ie_len + res->beacon_ie_len);
> bss->ie_len = res->ie_len;
> bss->beacon_ie_len = res->beacon_ie_len;
> + if (wpa_s->current_bss == bss)
> + wpa_s->current_bss = nbss;
This is broken.. bss == nbss here. I would assume you wanted to do that
just before the "bss = nbss;" line.
Jouni Malinen PGP id EFC895FA
More information about the Hostap