Commit
91d91abf6f9bf420643a9245b63f5ac8c6bbb18a ('FILS: DHCP relay for
HLP requests') added steps that are conditional on sta->fils_hlp_resp
being non-NULL. One of these cases within send_assoc_resp() was properly
protected from sta == NULL error case (that is now possible after a
recent DMG change), but the first one was not. A DMG error case in a
CONFIG_FILS=y build could have hit a NULL pointer dereference here. Fix
this by verifying sta != NULL more consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
buflen = sizeof(struct ieee80211_mgmt) + 1024;
#ifdef CONFIG_FILS
- if (sta->fils_hlp_resp)
+ if (sta && sta->fils_hlp_resp)
buflen += wpabuf_len(sta->fils_hlp_resp);
#endif /* CONFIG_FILS */
buf = os_zalloc(buflen);