Clear hostapd bss entry to NULL on add-interface-failure

It looks like leaving behind the freed pointed at the end of the array
could end up in a crash triggered by double free in some cases.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 75baec0e8a168174715996ec01f0e34928d93113..435a4e51b9bb04f23dd7d3797d58f331adf6ee6d 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -1807,6 +1807,7 @@ int hostapd_add_iface(struct hapd_interfaces *interfaces, char *buf)
                        if (start_ctrl_iface_bss(hapd) < 0 ||
                            (hapd_iface->state == HAPD_IFACE_ENABLED &&
                             hostapd_setup_bss(hapd, -1))) {
+                               hapd_iface->bss[hapd_iface->num_bss - 1] = NULL;
                                hapd_iface->conf->num_bss--;
                                hapd_iface->num_bss--;
                                wpa_printf(MSG_DEBUG, "%s: free hapd %p %s",