git.ipfire.org Git - thirdparty/hostap.git/commit - wpa_supplicant/p2p

author	Angie Chinchilla <angie.v.chinchilla@intel.com>
	Fri, 6 Apr 2012 15:22:03 +0000 (18:22 +0300)
committer	Jouni Malinen <j@w1.fi>
	Fri, 6 Apr 2012 15:22:03 +0000 (18:22 +0300)
commit	eb6f8c2bd4f944c972ff09ecb592e6dc19d3d895
tree	2491ea2a6ffcfa91e27825b218202415d4304fed	tree \| snapshot
parent	4f920dc63e6f340d71ecd60980c173dda2fa0da8	commit \| diff

P2P: Fix crash for failure case when WSC PIN is entered incorrectly

When forming a P2P group using WSC PIN method, if the PIN is entered
incorrectly the P2P client supplicant instance will crash as a result
of cleanup happening on data that is still in use in a case where a
separate P2P group interface is used.

For example, here is the path for the first crash:
eap_wsc_process():
- creates struct wpabuf tmpbuf; on the stack
- sets data->in_buf = &tmpbuf;
- calls wps_process_msg()
- which calls wps_process_wsc_msg()
- which, in case WPS_M4: calls wps_fail_event()
- which calls wps->event_cb()
- wps->event_cb = wpa_supplicant_wps_event()
- wpa_supplicant_wps_event()
- wpa_supplicant_wps_event_fail()
- which calls wpas_clear_wps()
- which calls wpas_notify_network_removed()
- which calls wpas_p2p_network_removed()
- which calls wpas_p2p_group_formation_timeout()
- which calls wpas_group_formation_completed()
- which calls wpas_p2p_group_delete()
- which calls wpa_supplicant_remove_iface()
- which calls wpa_supplicant_deinit_iface()
- which calls wpa_supplicant_cleanup()
- which calls eapol_sm_deinit()
- ... which eventually uses the ptr data->in_buf to free tmpbuf, our
stack variable and then the supplicant crashes

If you fix this crash, you'll hit another. Fix it and then a segfault.
The way we're cleaning up and deleting data from under ourselves here
just isn't safe, so make the teardown portion of this async.

Signed-hostap: Angie Chinchilla <angie.v.chinchilla@intel.com>
Signed-hostap: Nirav Shah <nirav.j2.shah@intel.com>
intended-for: hostap-1