Fix REMOVE_NETWORK to not run operations with invalid current_ssid

If the REMOVE_NETWORK command is used to delete the currently connected
network, some operations were run between removing the network and
clearing of wpa_s->current_ssid. This left wpa_s->current_ssid pointing
to freed memory and should any operation end up using it before the
pointer gets cleared, freed memory could be references. Avoid this by
removing the network only after having completed the operations that
clear wpa_s->current_ssid.

Signed-hostap: Deepthi Gowri <deepthi@codeaurora.org>
intended-for: hostap-1

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 18dd088d8914c1ee7c853524d28c304d396cb29c..df5ecd3244aec7e9385c415478c93ac463be7b32 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -1861,8 +1861,7 @@ static int wpa_supplicant_ctrl_iface_remove_network(
        ssid = wpa_config_get_network(wpa_s->conf, id);
        if (ssid)
                wpas_notify_network_removed(wpa_s, ssid);
-       if (ssid == NULL ||
-           wpa_config_remove_network(wpa_s->conf, id) < 0) {
+       if (ssid == NULL) {
                wpa_printf(MSG_DEBUG, "CTRL_IFACE: Could not find network "
                           "id=%d", id);
                return -1;
@@ -1886,6 +1885,12 @@ static int wpa_supplicant_ctrl_iface_remove_network(
                wpa_supplicant_disassociate(wpa_s, WLAN_REASON_DEAUTH_LEAVING);
        }
 
+       if (wpa_config_remove_network(wpa_s->conf, id) < 0) {
+               wpa_printf(MSG_DEBUG, "CTRL_IFACE: Not able to remove the "
+                          "network id=%d", id);
+               return -1;
+       }
+
        return 0;
 }