Fix MAC ACL query freeing on deinit

hapd->acl_cache and hapd->acl_queries were not reset back to NULL in
hostapd_acl_deinit() when cached results and pending ACL queries were
freed. This left stale pointers to freed memory in hapd. While this was
normally followed by freeing of the hapd data, it is possible to re-use
that hapd when disabling and re-enabling an interface. That sequence
could result in use of freed memory if done while there were cached
results or pending ACL operations with a RADIUS server (especially, if
that server did not reply).

Fix this by setting hapd->acl_queries to NULL when the pending entries
are freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index b8905373618db9f6e383c2858ca89957f79dd924..1e0358cec9dbc939bd725040b26b7413cf4d0f39 100644 (file)
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -665,9 +665,11 @@ void hostapd_acl_deinit(struct hostapd_data *hapd)
 
 #ifndef CONFIG_NO_RADIUS
        hostapd_acl_cache_free(hapd->acl_cache);
+       hapd->acl_cache = NULL;
 #endif /* CONFIG_NO_RADIUS */
 
        query = hapd->acl_queries;
+       hapd->acl_queries = NULL;
        while (query) {
                prev = query;
                query = query->next;