git.ipfire.org Git - thirdparty/hostap.git/commit

author	Petr Štetiar <petr.stetiar@prplfoundation.org>
	Wed, 18 Dec 2024 07:50:18 +0000 (07:50 +0000)
committer	Jouni Malinen <j@w1.fi>
	Sun, 22 Dec 2024 22:34:06 +0000 (00:34 +0200)
commit	d17a85ea1ed12f916e7a0cd9028c66465272a4cc
tree	0d2fa903f1f80ce3de5723f7453a10e2e12f02ab	tree
parent	089e360cc74f30666658ecd93a7a1b5bfd1e1452	commit \| diff

hostapd: hostapd_cleanup_iface_partial: Fix hw_features use after free

Currently when the iface is being cleaned up, the
hostapd_free_hw_features() is called which frees the underlying
hw_features and the struct is being NULLed, but the num_hw_features
counter is not being reset, thus following commonly used access
constructs:

   for (i = 0; i < iface->num_hw_features; i++)
            acs_cleanup_mode(&iface->hw_features[i]);

This might then lead to use after free and hostapd for example might
crash during configuration reload on disabled interfaces:

  $ hostapd -ddt /tmp/wlan2_hapd.conf &
  $ hostapd_cli -i wlan2 raw DISABLE

  Fri Oct  4 20:44:04 2024 1728074644.706408: wlan2: AP-DISABLED

  $ kill -SIGHUP $(pidof hostapd)
  Segmentation fault (core dumped) hostapd -ddt /tmp/wlan2_hapd.conf

So lets fix it by resetting the num_hw_features counter to 0, so the
code will not try to access the freed memory in hw_features struct.

Reported-by: Mohammed SI ALI <mohammed.siali@softathome.com>
Tested-by: Houssem Dafdouf <houssem.dafdouf_ext@softathome.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Petr Štetiar <petr.stetiar@prplfoundation.org>