nl80211: Fix memory leak on libnl nl_cb

nl_socket_get_cb() increases cb_refcnf for the cb that is bound to a
socket and as such, nl_cb_put() needs to be used with the returned cb
after having cloned it to avoid leaking memory due to cb_refcnt never
getting back to 0.

Fixes: da0d51fee74b ("nl80211: Use socket cb instead of global->nl_cb in send_and_recv()")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index fcac9cc04a8269f616d153a3ee01e631a35d4b05..6cc363e97da05e281b9b73675b0ce1d51e11613c 100644 (file)
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -498,7 +498,7 @@ int send_and_recv(struct nl80211_global *global,
                  void *ack_data,
                  struct nl80211_err_info *err_info)
 {
-       struct nl_cb *cb;
+       struct nl_cb *cb, *s_nl_cb;
        struct nl80211_ack_err_args err;
        int opt;
 
@@ -507,7 +507,9 @@ int send_and_recv(struct nl80211_global *global,
 
        err.err = -ENOMEM;
 
-       cb = nl_cb_clone(nl_socket_get_cb(nl_handle));
+       s_nl_cb = nl_socket_get_cb(nl_handle);
+       cb = nl_cb_clone(s_nl_cb);
+       nl_cb_put(s_nl_cb);
        if (!cb)
                goto out;