iw: scan: fix double-free in error paths

Hit when, for instance, I'm stupid enough to type an invalid scan
command:

  # iw wlan0 scan -h
  BUG at file position lib/msg.c:572:void nlmsg_free(struct nl_msg *)
  iw: lib/msg.c:572: void nlmsg_free(struct nl_msg *): Assertion `0' failed.
  Aborted (core dumped)

Fixes: 2f74c59cf11e ("iw: fix memory leaks inside handle_scan")
Cc: John Crispin <john@phrozen.org>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Link: https://lore.kernel.org/r/20191121224139.58281-1-briannorris@chromium.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/scan.c b/scan.c
index 1418da73a624c7b1fd19c0e4acf6ef63c788cefb..bfd39e4b1a1c399c3ef69f1f8a05eb435f84d52b 100644 (file)
--- a/scan.c
+++ b/scan.c
@@ -448,8 +448,6 @@ static int handle_scan(struct nl80211_state *state,
                        }
                        /* fall through - this is an error */
                case DONE:
-                       nlmsg_free(ssids);
-                       nlmsg_free(freqs);
                        err = 1;
                        goto nla_put_failure;
                case FREQ: