nl80211: Fix use after free of bss in MLD link removal

This was reported by ASAN, the bss variable was just freed a bit
earlier.

Fixes: c6ff28cb63a5 ("AP MLD: Handle garbage pointer after MLD interface is deleted")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 024eae7ee3fa6636f13bc38ed0ad7bc0f829b29b..1ba8f1f331ec6c01695e21074ecec072cb107e93 100644 (file)
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -10975,6 +10975,8 @@ static int driver_nl80211_link_remove(void *priv, enum wpa_driver_if_type type,
                drv->ctx = bss->ctx;
 
        if (!bss->valid_links) {
+               void *ctx = bss->ctx;
+
                wpa_printf(MSG_DEBUG,
                           "nl80211: No more links remaining, so remove interface");
                ret = wpa_driver_nl80211_if_remove(bss, type, ifname);
@@ -10982,7 +10984,7 @@ static int driver_nl80211_link_remove(void *priv, enum wpa_driver_if_type type,
                        return ret;
 
                /* Notify that the MLD interface is removed */
-               wpa_supplicant_event(bss->ctx, EVENT_MLD_INTERFACE_FREED, NULL);
+               wpa_supplicant_event(ctx, EVENT_MLD_INTERFACE_FREED, NULL);
        }
 
        return 0;