Fix memory corruption on BSS entry reallocation

The wpa_s->bss_id list was being corrupted when the BSS entry needed
to be reallocated due to longer IE data. The entry has to be removed
from all lists before reallocation to avoid this (it was only removed
from the wpa_s->bss list).

diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 62086a4eb648425b13112d1f7d585b58f8af2750..6446c058f0d968d126f460fabc8ab1f7ed16b53e 100644 (file)
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -148,12 +148,15 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
                bss->ie_len = res->ie_len;
        } else {
                struct wpa_bss *nbss;
+               struct dl_list *prev = bss->list_id.prev;
+               dl_list_del(&bss->list_id);
                nbss = os_realloc(bss, sizeof(*bss) + res->ie_len);
                if (nbss) {
                        bss = nbss;
                        os_memcpy(bss + 1, res + 1, res->ie_len);
                        bss->ie_len = res->ie_len;
                }
+               dl_list_add(prev, &bss->list_id);
        }
        dl_list_add_tail(&wpa_s->bss, &bss->list);
 }