DPP2: Do not try to remove Controller TCP connection twice on error

These code paths on the Controller were calling dpp_connection_remove()
twice for the same connection in the error cases. That would result in
double-freeing of the memory, so fix this by remove the
dpp_connection_remove() call from the called function and instead,
remove the connection in dpp_controller_rx() error handling.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/dpp_tcp.c b/src/common/dpp_tcp.c
index 103eda272649b015bb9340c6e3d9280728427fd4..fb8ef1c5bfaf1bbac3eb4eafb7f2be38c12cb6e1 100644 (file)
--- a/src/common/dpp_tcp.c
+++ b/src/common/dpp_tcp.c
@@ -671,10 +671,8 @@ static int dpp_controller_rx_auth_req(struct dpp_connection *conn,
        }
 
        if (dpp_set_configurator(conn->auth,
-                                conn->ctrl->configurator_params) < 0) {
-               dpp_connection_remove(conn);
+                                conn->ctrl->configurator_params) < 0)
                return -1;
-       }
 
        return dpp_tcp_send_msg(conn, conn->auth->resp_msg);
 }
@@ -700,7 +698,6 @@ static int dpp_controller_rx_auth_resp(struct dpp_connection *conn,
                        return 0;
                }
                wpa_printf(MSG_DEBUG, "DPP: No confirm generated");
-               dpp_connection_remove(conn);
                return -1;
        }
 
@@ -862,7 +859,6 @@ static int dpp_controller_rx_presence_announcement(struct dpp_connection *conn,
                return -1;
        if (dpp_set_configurator(auth, conn->ctrl->configurator_params) < 0) {
                dpp_auth_deinit(auth);
-               dpp_connection_remove(conn);
                return -1;
        }