WPS: Fix current_ssid clearing on duplicate network removal

It was possible for the current network profile to be deleted when
merging duplicated WPS credentials. However, this did not clear
wpa_s->current_ssid and it was possible for something else to end up
dereferencing that pointer to now freed memory. This could be hit, e.g.,
with ap_wps_mixed_cred. Fix this by clearing current_ssid also in this
code path similarly to other cases of network block getting removed.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 40f235f73c9aa707258daed28cc4291de5bf23f6..d934b1adf8e3eb7faef84b5e7b917e7ba0aef2c3 100644 (file)
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -339,6 +339,8 @@ static void wpas_wps_remove_dup_network(struct wpa_supplicant *wpa_s,
                /* Remove the duplicated older network entry. */
                wpa_printf(MSG_DEBUG, "Remove duplicate network %d", ssid->id);
                wpas_notify_network_removed(wpa_s, ssid);
+               if (wpa_s->current_ssid == ssid)
+                       wpa_s->current_ssid = NULL;
                wpa_config_remove_network(wpa_s->conf, ssid->id);
        }
 }