MBO: Fix possible NULL pointer dereference on candidate handling

If the driver provides input on MBO transition candidate handling, the
target value in get_mbo_transition_candidate() can be NULL if the driver
provided BSSID is not found in the wpa_supplicant BSS table. And later
it would be dereferenced. Fix this by adding an explicit check before
dereferencing the pointer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index f17a8dc83878c9d8e4d25c65af88c936cbbf8ee0..7339ed26d2771968434a6632b77fd10dc2703e81 100644 (file)
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -581,8 +581,9 @@ get_mbo_transition_candidate(struct wpa_supplicant *wpa_s,
                for (i = 0; i < info->num; i++) {
                        target = wpa_bss_get_bssid(wpa_s,
                                                   info->candidates[i].bssid);
-                       if (target->level <
-                           wpa_s->conf->disassoc_imminent_rssi_threshold)
+                       if (target &&
+                           (target->level <
+                            wpa_s->conf->disassoc_imminent_rssi_threshold))
                                continue;
                        goto end;
                }