P2P: Fix segfault when PBC overlap is detected

If a separate P2P group interface is used, PBC overlap during group
formation causes the group interface to be removed, which ends up with
the interface context becoming invalid. Fix this by scheduling a timeout
to process the PBC overlap and interface removal instead of removing the
interface directly before the connection operation has returned.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 847d50d23fab0da827323f6b2ba27a2c2d37f843..e9a4a8cb446753b80eb42e9e28c6cd252fb46f65 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1069,8 +1069,12 @@ int wpa_supplicant_connect(struct wpa_supplicant *wpa_s,
                wpa_msg(wpa_s, MSG_INFO, WPS_EVENT_OVERLAP
                        "PBC session overlap");
 #ifdef CONFIG_P2P
-               if (wpas_p2p_notif_pbc_overlap(wpa_s) == 1)
+               if (wpa_s->p2p_group_interface == P2P_GROUP_INTERFACE_CLIENT ||
+                   wpa_s->p2p_in_provisioning) {
+                       eloop_register_timeout(0, 0, wpas_p2p_pbc_overlap_cb,
+                                              wpa_s, NULL);
                        return -1;
+               }
 #endif /* CONFIG_P2P */
 
 #ifdef CONFIG_WPS

diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index 5e36a673a3709603d52b1292125eb4405c04d6d2..303b7febe2486bf86c4a3dceca86113592c34090 100644 (file)
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -6392,6 +6392,13 @@ int wpas_p2p_notif_pbc_overlap(struct wpa_supplicant *wpa_s)
 }
 
 
+void wpas_p2p_pbc_overlap_cb(void *eloop_ctx, void *timeout_ctx)
+{
+       struct wpa_supplicant *wpa_s = eloop_ctx;
+       wpas_p2p_notif_pbc_overlap(wpa_s);
+}
+
+
 void wpas_p2p_update_channel_list(struct wpa_supplicant *wpa_s)
 {
        struct p2p_channels chan, cli_chan;

diff --git a/wpa_supplicant/p2p_supplicant.h b/wpa_supplicant/p2p_supplicant.h
index d3d36b1d238169251ce956351c5aa0e9077eddfb..0bf3ca9b97a8744a59a8d813e01bbd1fb393f5fa 100644 (file)
--- a/wpa_supplicant/p2p_supplicant.h
+++ b/wpa_supplicant/p2p_supplicant.h
@@ -158,6 +158,7 @@ int wpas_p2p_nfc_report_handover(struct wpa_supplicant *wpa_s, int init,
                                 const struct wpabuf *req,
                                 const struct wpabuf *sel, int forced_freq);
 int wpas_p2p_nfc_tag_enabled(struct wpa_supplicant *wpa_s, int enabled);
+void wpas_p2p_pbc_overlap_cb(void *eloop_ctx, void *timeout_ctx);
 
 #ifdef CONFIG_P2P
 int wpas_p2p_4way_hs_failed(struct wpa_supplicant *wpa_s);

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index b086c4713d6e6a0b69ad2b3e1d44c009e99e8abc..dfcc0693faf32e3b0b3081155fb8c03e6798cce4 100644 (file)
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -510,15 +510,6 @@ static int wpa_supplicant_wps_cred(void *ctx,
 }
 
 
-#ifdef CONFIG_P2P
-static void wpas_wps_pbc_overlap_cb(void *eloop_ctx, void *timeout_ctx)
-{
-       struct wpa_supplicant *wpa_s = eloop_ctx;
-       wpas_p2p_notif_pbc_overlap(wpa_s);
-}
-#endif /* CONFIG_P2P */
-
-
 static void wpa_supplicant_wps_event_m2d(struct wpa_supplicant *wpa_s,
                                         struct wps_event_m2d *m2d)
 {
@@ -537,7 +528,7 @@ static void wpa_supplicant_wps_event_m2d(struct wpa_supplicant *wpa_s,
                 * Notify P2P from eloop timeout to avoid issues with the
                 * interface getting removed while processing a message.
                 */
-               eloop_register_timeout(0, 0, wpas_wps_pbc_overlap_cb, wpa_s,
+               eloop_register_timeout(0, 0, wpas_p2p_pbc_overlap_cb, wpa_s,
                                       NULL);
        }
 #endif /* CONFIG_P2P */