tests: Fix fuzzing tester for WNM

Processing of WNM frames can results in a lookup of the current BSS
table. As such, the testing tool needs to initialize the BSS table to
avoid NULL pointer dereferences. This is not an issue that would show up
with real production uses with wpa_supplicant since wpa_bss_init() is
called there.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67244
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/tests/fuzzing/wnm/wnm.c b/tests/fuzzing/wnm/wnm.c
index 1ae0189946203cd1b2444b4c341ef0a0059b4af9..ea2341006010a4349a0fb7396f92d701df669ba4 100644 (file)
--- a/tests/fuzzing/wnm/wnm.c
+++ b/tests/fuzzing/wnm/wnm.c
@@ -53,6 +53,8 @@ static int init_wpa(struct arg_ctx *ctx)
        ctx->wpa_s.driver = &ctx->driver;
        ctx->wpa_s.wpa = &ctx->wpa;
        ctx->wpa_s.conf = &ctx->conf;
+       if (wpa_bss_init(&ctx->wpa_s) < 0)
+               return -1;
 
        return 0;
 }
@@ -61,6 +63,7 @@ static int init_wpa(struct arg_ctx *ctx)
 static void deinit_wpa(struct arg_ctx *ctx)
 {
        wnm_btm_reset(&ctx->wpa_s);
+       wpa_bss_flush(&ctx->wpa_s);
 }