Fix RSN preauth candidate list clearing to avoid segfaults

Commit c5b26e33c1829c62c3b5872865ca202f6c42436e broke the processing
of the candidate list entries when an old entry was either removed or
reused. The entry needs to be removed from the list to avoid leaving
pointers to freed memory.

http://bugs.gentoo.org/show_bug.cgi?id=330085
http://w1.fi/bugz/show_bug.cgi?id=372

diff --git a/src/rsn_supp/preauth.c b/src/rsn_supp/preauth.c
index f3a0681cbefcab7e63ee62bfcb5632320f463b8d..6109f5e9f87344bb627ee8d983700346b7b1fa65 100644 (file)
--- a/src/rsn_supp/preauth.c
+++ b/src/rsn_supp/preauth.c
@@ -49,8 +49,10 @@ void pmksa_candidate_free(struct wpa_sm *sm)
                return;
 
        dl_list_for_each_safe(entry, n, &sm->pmksa_candidates,
-                             struct rsn_pmksa_candidate, list)
+                             struct rsn_pmksa_candidate, list) {
+               dl_list_del(&entry->list);
                os_free(entry);
+       }
 }
 
 
@@ -378,6 +380,7 @@ void pmksa_candidate_add(struct wpa_sm *sm, const u8 *bssid,
        }
 
        if (cand) {
+               dl_list_del(&cand->list);
                if (prio < PMKID_CANDIDATE_PRIO_SCAN)
                        cand->priority = prio;
        } else {