[PATCH] BSS: Fix use-after-realloc
Eliad Peller
eliad
Mon Mar 5 06:34:44 PST 2012
On Mon, Mar 5, 2012 at 4:22 PM, Jouni Malinen <j at w1.fi> wrote:
> On Mon, Mar 05, 2012 at 12:30:15PM +0200, Eliad Peller wrote:
>> After reallocation of the bss struct, current_bss
>> wasn't updated and could hold an invalid pointer
>> (which might get dereferenced later).
>>
>> Update current_bss if the pointer was changed.
>
> Thanks for catching this!
>
>> diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
>> @@ -333,6 +333,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? res->ie_len + res->beacon_ie_len);
>> ? ? ? ? ? ? ? ? ? ? ? bss->ie_len = res->ie_len;
>> ? ? ? ? ? ? ? ? ? ? ? bss->beacon_ie_len = res->beacon_ie_len;
>> + ? ? ? ? ? ? ? ? ? ? if (wpa_s->current_bss == bss)
>> + ? ? ? ? ? ? ? ? ? ? ? ? ? ? wpa_s->current_bss = nbss;
>
> This is broken.. bss == nbss here. I would assume you wanted to do that
> just before the "bss = nbss;" line.
>
err...
you are right of course.
thanks for catching this! :)
do you want me to resend or can you just fix and apply it?
Eliad.
More information about the Hostap
mailing list