Message ID | 20240923152529.52740-1-ming@imkuang.com |
---|---|
State | New |
Headers | show
Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=A7p14QrX; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=imkuang.com header.i=ming@imkuang.com header.a=rsa-sha256 header.s=zoho header.b=QCYvBuLr; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XC6KK2ZdVz1xsg for <incoming@patchwork.ozlabs.org>; Tue, 24 Sep 2024 01:26:27 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=47e+cLOC5EVllyzoKKgpQxosDiHdikzldJtNWjR1dng=; b=A7p14QrX3msS0c UvGUssTrpLt0AkeXY6P8L1dAMJ4GPgQF700vrovZIQioQkWdp2STrgVDfuHWF5PaC2HDDX36krbDY NqWZoS/DFk/aW+skhgn34hw3kFS0J6MOPZBQD/5P6ZC2NYujyvdwNetxSuFjyTmoJ7j6OPUYgEwyQ SKbkmZXNwq7yUL9ra5KxYmR6iK2pS7lmgalQo8W9s16R4MhurMJ1gAnNw2hBFP75lz0syUn5H0sZX RrLI26eiqCBphmAxrSP3VtViy+5hZImAIRSjtTKBJNWvzBL7NcT0kLgbsx+MJN2BvXvBlN5yu0Wm6 LQ4kvsBNtnwzgnXE6RFg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1sskwf-0000000HUdL-2ex4; Mon, 23 Sep 2024 15:25:49 +0000 Received: from sender4-op-o15.zoho.com ([136.143.188.15]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1sskwb-0000000HUb6-2fvi for hostap@lists.infradead.org; Mon, 23 Sep 2024 15:25:47 +0000 ARC-Seal: i=1; a=rsa-sha256; t=1727105141; cv=none; d=zohomail.com; s=zohoarc; b=eT7lX+Hf74Im/oVmr3ptQda60a8sUA0MJqa+xlE4pejE75hdscLWm3SjjeHm0f9MbV/5ffk+EEPsNWLK5KG8WlzfWUhfZgnwyVd+3E5i1HyMsr0Y7rYI6+tvZK06nZ+pV6xfuE2xyNywZAQnc+WXO9VWm23wIn7momwvcEdUksU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1727105141; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=+VcfCyOapvdXr4dylw6CqAO4Xah9jubJ06AKdzuUvoA=; b=kZtOReVIqmGUzrV5pubKnNWKGjtEZ1ToxIXDMGmFjC2t3OtpwzNqgQ6NOd8G/fJI2rX4m/KvBU7wZDpkyGitIOoLsJ3aM0XAiO+u5XqvaC/efmI/EBC0Pw+gjKvxzDzqS1UPIGfbGgC0YufqI2vpsTIJfTPCkphy1ffbdWV6rmM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=imkuang.com; spf=pass smtp.mailfrom=ming@imkuang.com; dmarc=pass header.from=<ming@imkuang.com> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1727105141; s=zoho; d=imkuang.com; i=ming@imkuang.com; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-Id:Message-Id:MIME-Version:Content-Transfer-Encoding:Reply-To; bh=+VcfCyOapvdXr4dylw6CqAO4Xah9jubJ06AKdzuUvoA=; b=QCYvBuLrE5Trfrzh+niruSY3tYa5+JVC+Fb4qQfZSZvKHcF3IYiLugePVklyxLzu gpP3D4AiCRwSewZ+Fpsra7YijLCO/Ee7Islj+17wpgfHTSZBziVIHWRP+KJEr7i0D8w vU0bcL0aN2sbunv8Tbg77HhMe4eKE2AnJWTtdFfeu+FTQgZJqTrY4tinKxoRMsb+jMU iMqk1bhRqOFycCxHNE+LICTksNA0uUJ1MnT8Y2szhAnWDzDzvEmMHbrz0Qqr9d9xJQr 4JmkbszBdA755FSU3D1wSMDwo8MwLN6RLAZBdtX9jiWvGawFpQCecacsrYmLLc/qiOa BVDDKgpL1g== Received: by mx.zohomail.com with SMTPS id 1727105139321640.9917129979488; Mon, 23 Sep 2024 08:25:39 -0700 (PDT) From: Ming Kuang <ming@imkuang.com> To: hostap@lists.infradead.org Cc: Ming Kuang <ming@imkuang.com> Subject: [PATCH] Fix using invalid memory during driver deinit Date: Mon, 23 Sep 2024 23:25:29 +0800 Message-Id: <20240923152529.52740-1-ming@imkuang.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 X-ZohoMailClient: External X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240923_082546_150097_7E51A205 X-CRM114-Status: UNSURE ( 9.59 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -3.0 (---) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We recorded the address of hapd_iface->bss[0]->drv_priv before calling hostapd_free_hapd_data function and passed it to the hostapd_deinit_driver function after the call. However, the hostapd_free_hap [...] Content analysis details: (-3.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [136.143.188.15 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [136.143.188.15 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [136.143.188.15 listed in sa-trusted.bondedsender.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 ARC_SIGNED Message has a ARC signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 ARC_VALID Message has a valid ARC signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.9 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [136.143.188.15 listed in wl.mailspike.net] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [136.143.188.15 listed in bl.score.senderscore.com] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: <hostap.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>, <mailto:hostap-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/hostap/> List-Post: <mailto:hostap@lists.infradead.org> List-Help: <mailto:hostap-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>, <mailto:hostap-request@lists.infradead.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
Fix using invalid memory during driver deinit
|
expand
|
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 7d924893f..6c3bcdb78 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -3627,8 +3627,6 @@ int hostapd_disable_iface(struct hostapd_iface *hapd_iface) } wpa_msg(hapd_iface->bss[0]->msg_ctx, MSG_INFO, AP_EVENT_DISABLED); - driver = hapd_iface->bss[0]->driver; - drv_priv = hapd_iface->bss[0]->drv_priv; hapd_iface->driver_ap_teardown = !!(hapd_iface->drv_flags & @@ -3647,6 +3645,8 @@ int hostapd_disable_iface(struct hostapd_iface *hapd_iface) hostapd_free_hapd_data(hapd); } + driver = hapd_iface->bss[0]->driver; + drv_priv = hapd_iface->bss[0]->drv_priv; hostapd_deinit_driver(driver, drv_priv, hapd_iface); /* From hostapd_cleanup_iface: These were initialized in
We recorded the address of hapd_iface->bss[0]->drv_priv before calling hostapd_free_hapd_data function and passed it to the hostapd_deinit_driver function after the call. However, the hostapd_free_hapd_data function may free the hapd->drv_priv memory, which could lead to the hostapd_deinit_driver using an invalid memory address that has already been freed. Signed-off-by: Ming Kuang <ming@imkuang.com> --- src/ap/hostapd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)