AP MLD: Deinitt BSS link if starting beaconing fails

In the current implementation, when hostapd_start_beacon() fails during
AP MLD setup, it flushes old station entries, deauthentcates all
stations, and frees hapd data. However, it does not unlink the
associated BSS from the AP MLD structure.

While performing wifi stability testing during interface down/up, this
retains a stale reference to the freed BSS. Subsequent attempts to
access MLD links post-failure lead to a segmentation fault due to this
use-after-free condition.

Fix this by unlinking the BSS from the AP MLD on failure paths to
prevent potential use-after-free scenarios.

Signed-off-by: Ramasamy Kaliappan <ramasamy.kaliappan@oss.qualcomm.com>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 6c4513615e6036c5b18df2f02c64e4c5847037e4..f2f0c294933a27f84ede94bb19fd29651504172b 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -2668,6 +2668,7 @@ static int hostapd_setup_interface_complete_sync(struct hostapd_iface *iface,
                        for (;;) {
                                hapd = iface->bss[j];
                                hostapd_bss_deinit_no_free(hapd);
+                               hostapd_bss_link_deinit(hapd);
                                hostapd_free_hapd_data(hapd);
                                if (j == 0)
                                        break;
@@ -2686,6 +2687,7 @@ static int hostapd_setup_interface_complete_sync(struct hostapd_iface *iface,
                                for (;;) {
                                        hapd = iface->bss[j];
                                        hostapd_bss_deinit_no_free(hapd);
+                                       hostapd_bss_link_deinit(hapd);
                                        hostapd_free_hapd_data(hapd);
                                        if (j == 0)
                                                break;