Clean up hostapd add_iface error path operations

If hapd_iface->bss[i] == NULL, this could have resulted in NULL pointer
dereference in the debug print. Avoid this by skipping the message in
case of NULL pointer. In addition, clear iface->bss[i] to NULL for
additional robustness even though this array gets freed immediately.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 435a4e51b9bb04f23dd7d3797d58f331adf6ee6d..ad1c2d039629767d470c10ecc40d19d6166d5d3a 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -1877,14 +1877,17 @@ fail:
                if (hapd_iface->bss) {
                        for (i = 0; i < hapd_iface->num_bss; i++) {
                                hapd = hapd_iface->bss[i];
-                               if (hapd && hapd_iface->interfaces &&
+                               if (!hapd)
+                                       continue;
+                               if (hapd_iface->interfaces &&
                                    hapd_iface->interfaces->ctrl_iface_deinit)
                                        hapd_iface->interfaces->
                                                ctrl_iface_deinit(hapd);
                                wpa_printf(MSG_DEBUG, "%s: free hapd %p (%s)",
                                           __func__, hapd_iface->bss[i],
-                                       hapd_iface->bss[i]->conf->iface);
-                               os_free(hapd_iface->bss[i]);
+                                          hapd->conf->iface);
+                               os_free(hapd);
+                               hapd_iface->bss[i] = NULL;
                        }
                        os_free(hapd_iface->bss);
                }