UBSan: Fix RRM beacon processing attempt without scan_info

Some driver interfaces (e.g., wext) might not include the
data->scan_info information and data could be NULL here. Do not try to
call the RRM handler in this case since that would dereference the NULL
pointer when determining where scan_info is located and could
potentially result in trying to read from unexpected location if RRM is
enabled with a driver interface that does not support it.

events.c:1907:59: runtime error: member access within null pointer of type 'union wpa_event_data'

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index f2462d794b2b7bc27c2a71b2b9e7a9d12166b6eb..daca69cdbab6601a3c75ad82253dc40c61ca47e0 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1,6 +1,6 @@
 /*
  * WPA Supplicant - Driver event processing
- * Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -1903,7 +1903,7 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
        if (sme_proc_obss_scan(wpa_s) > 0)
                goto scan_work_done;
 
-       if (own_request &&
+       if (own_request && data &&
            wpas_beacon_rep_scan_process(wpa_s, scan_res, &data->scan_info) > 0)
                goto scan_work_done;