Fix memory leak in hostapd BSS_TM_REQ error path handling

The optional url=<URL> parameter was stored in allocated memory and that
memory was leaked if some following parameter parsing attempts failed.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 7a49249e70b8a19e4b9fb59e2d8cde57f226bc75..164e10d6ad3254cdf12625ed750131a924de019a 100644 (file)
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -1017,14 +1017,16 @@ static int hostapd_ctrl_iface_bss_tm_req(struct hostapd_data *hapd,
                if (ret != 3) {
                        wpa_printf(MSG_DEBUG,
                                   "MBO requires three arguments: mbo=<reason>:<reassoc_delay>:<cell_pref>");
-                       return -1;
+                       ret = -1;
+                       goto fail;
                }
 
                if (mbo_reason > MBO_TRANSITION_REASON_PREMIUM_AP) {
                        wpa_printf(MSG_DEBUG,
                                   "Invalid MBO transition reason code %u",
                                   mbo_reason);
-                       return -1;
+                       ret = -1;
+                       goto fail;
                }
 
                /* Valid values for Cellular preference are: 0, 1, 255 */
@@ -1032,7 +1034,8 @@ static int hostapd_ctrl_iface_bss_tm_req(struct hostapd_data *hapd,
                        wpa_printf(MSG_DEBUG,
                                   "Invalid MBO cellular capability %u",
                                   cell_pref);
-                       return -1;
+                       ret = -1;
+                       goto fail;
                }
 
                if (reassoc_delay > 65535 ||
@@ -1040,7 +1043,8 @@ static int hostapd_ctrl_iface_bss_tm_req(struct hostapd_data *hapd,
                     !(req_mode & WNM_BSS_TM_REQ_DISASSOC_IMMINENT))) {
                        wpa_printf(MSG_DEBUG,
                                   "MBO: Assoc retry delay is only valid in disassoc imminent mode");
-                       return -1;
+                       ret = -1;
+                       goto fail;
                }
 
                *mbo_pos++ = MBO_ATTR_ID_TRANSITION_REASON;
@@ -1066,6 +1070,7 @@ static int hostapd_ctrl_iface_bss_tm_req(struct hostapd_data *hapd,
                                  nei_pos > nei_rep ? nei_rep : NULL,
                                  nei_pos - nei_rep, mbo_len ? mbo : NULL,
                                  mbo_len);
+fail:
        os_free(url);
        return ret;
 }