Clear cached extended_capa pointers on hapd_deinit() call

driver->hapd_deinit() is going to free the memory that the cached
pointers are pointing to, so clear the pointers to avoid possibility of
dereferencing used memory. It seemed to be possible to hit a code path
using those fields by issuing a CHAN_SWITCH command on disabled hostapd
interface in some cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 20c8e8f5a4f7162535a26e07d3ed3b0c61f09e35..0bd689238533eda34f8be717049e98a3ec2871bb 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -2486,8 +2486,12 @@ static void hostapd_deinit_driver(const struct wpa_driver_ops *driver,
                        wpa_printf(MSG_DEBUG, "%s:bss[%d]->drv_priv=%p",
                                   __func__, (int) j,
                                   hapd_iface->bss[j]->drv_priv);
-                       if (hapd_iface->bss[j]->drv_priv == drv_priv)
+                       if (hapd_iface->bss[j]->drv_priv == drv_priv) {
                                hapd_iface->bss[j]->drv_priv = NULL;
+                               hapd_iface->extended_capa = NULL;
+                               hapd_iface->extended_capa_mask = NULL;
+                               hapd_iface->extended_capa_len = 0;
+                       }
                }
        }
 }