| Message ID | 20240923152529.52740-1-ming@imkuang.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Fix using invalid memory during driver deinit | expand |
On Mon, Sep 23, 2024 at 11:25:29PM +0800, Ming Kuang wrote: > We recorded the address of hapd_iface->bss[0]->drv_priv before calling > hostapd_free_hapd_data function and passed it to the > hostapd_deinit_driver function after the call. > However, the hostapd_free_hapd_data function may free the hapd->drv_priv > memory, which could lead to the hostapd_deinit_driver using an invalid > memory address that has already been freed. Thanks, applied with some cleanup and with a more detailed commit message explaining why this is safe to do.
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 7d924893f..6c3bcdb78 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -3627,8 +3627,6 @@ int hostapd_disable_iface(struct hostapd_iface *hapd_iface) } wpa_msg(hapd_iface->bss[0]->msg_ctx, MSG_INFO, AP_EVENT_DISABLED); - driver = hapd_iface->bss[0]->driver; - drv_priv = hapd_iface->bss[0]->drv_priv; hapd_iface->driver_ap_teardown = !!(hapd_iface->drv_flags & @@ -3647,6 +3645,8 @@ int hostapd_disable_iface(struct hostapd_iface *hapd_iface) hostapd_free_hapd_data(hapd); } + driver = hapd_iface->bss[0]->driver; + drv_priv = hapd_iface->bss[0]->drv_priv; hostapd_deinit_driver(driver, drv_priv, hapd_iface); /* From hostapd_cleanup_iface: These were initialized in
We recorded the address of hapd_iface->bss[0]->drv_priv before calling hostapd_free_hapd_data function and passed it to the hostapd_deinit_driver function after the call. However, the hostapd_free_hapd_data function may free the hapd->drv_priv memory, which could lead to the hostapd_deinit_driver using an invalid memory address that has already been freed. Signed-off-by: Ming Kuang <ming@imkuang.com> --- src/ap/hostapd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)