From: Jouni Malinen <j@w1.fi>
Date: Thu, 19 Nov 2009 19:12:06 +0000 (+0200)
Subject: wpa_gui: Avoid using freed item in enter_pin()
X-Git-Tag: hostap_0_7_0~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da87d6f8b560b3fcf75c622a84bafb60daa1e90c;p=thirdparty%2Fhostap.git

wpa_gui: Avoid using freed item in enter_pin()

The Enrollee entry may be deleted while the PIN query dialog is open.
To avoid crashing on using freed entry, copy the needed data into
local variables before and use the local data after the PIN dialog
has been closed.
---

diff --git a/wpa_supplicant/wpa_gui-qt4/peers.cpp b/wpa_supplicant/wpa_gui-qt4/peers.cpp
index 5d2598fc9..5dce40b19 100644
--- a/wpa_supplicant/wpa_gui-qt4/peers.cpp
+++ b/wpa_supplicant/wpa_gui-qt4/peers.cpp
@@ -147,6 +147,14 @@ void Peers::enter_pin()
 	if (ctx_item == NULL)
 		return;
 
+	int peer_type = ctx_item->data(peer_role_type).toInt();
+	QString uuid;
+	QString addr;
+	if (peer_type == PEER_TYPE_WPS_ER_ENROLLEE)
+		uuid = ctx_item->data(peer_role_uuid).toString();
+	else
+		addr = ctx_item->data(peer_role_address).toString();
+
 	StringQuery input(tr("PIN:"));
 	input.setWindowTitle(tr("PIN for ") + ctx_item->text());
 	if (input.exec() != QDialog::Accepted)
@@ -156,14 +164,11 @@ void Peers::enter_pin()
 	char reply[100];
 	size_t reply_len;
 
-	if (ctx_item->data(peer_role_type).toInt() ==
-	    PEER_TYPE_WPS_ER_ENROLLEE) {
-		QString uuid = ctx_item->data(peer_role_uuid).toString();
+	if (peer_type == PEER_TYPE_WPS_ER_ENROLLEE) {
 		snprintf(cmd, sizeof(cmd), "WPS_ER_PIN %s %s",
 			 uuid.toAscii().constData(),
 			 input.get_string().toAscii().constData());
 	} else {
-		QString addr = ctx_item->data(peer_role_address).toString();
 		snprintf(cmd, sizeof(cmd), "WPS_PIN %s %s",
 			 addr.toAscii().constData(),
 			 input.get_string().toAscii().constData());