WPS ER: Fix AP entry freeing on timeout

Must unlink the entry first before trying to remove it to avoid
leaving behind pointers to freed memory.

diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
index f2fa9c5a4450449c6db1f2961f71a0d564801e8e..26bac70545c31125dd7ea5941d22a84b0296325f 100644 (file)
--- a/src/wps/wps_er.c
+++ b/src/wps/wps_er.c
@@ -268,11 +268,30 @@ static void wps_er_ap_free(struct wps_er *er, struct wps_er_ap *ap)
 }
 
 
+static void wps_er_ap_unlink(struct wps_er *er, struct wps_er_ap *ap)
+{
+       struct wps_er_ap *prev, *tmp;
+       tmp = er->ap;
+       prev = NULL;
+       while (tmp) {
+               if (tmp == ap) {
+                       if (prev)
+                               prev->next = ap->next;
+                       else
+                               er->ap = ap->next;
+               }
+               prev = tmp;
+               tmp = tmp->next;
+       }
+}
+
+
 static void wps_er_ap_timeout(void *eloop_data, void *user_ctx)
 {
        struct wps_er *er = eloop_data;
        struct wps_er_ap *ap = user_ctx;
        wpa_printf(MSG_DEBUG, "WPS ER: AP advertisement timed out");
+       wps_er_ap_unlink(er, ap);
        wps_er_ap_free(er, ap);
 }