From: Jouni Malinen <j@w1.fi>
Date: Mon, 27 Jun 2016 15:30:11 +0000 (+0300)
Subject: GAS: Fix double-free on an error path
X-Git-Tag: hostap_2_6~313
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1574fa1c6c56f49867e4ec644e5a2b30e1c607b1;p=thirdparty%2Fhostap.git

GAS: Fix double-free on an error path

If radio_add_work() fails, gas_query_req() ended up freeing the query
payload and returning an error. This resulted in also the caller trying
to free the query payload. Fix this by not freeing the buffer within
gas_query_req() in error case to be consistent with the other error
cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c
index c0c8c46bc..691de0345 100644
--- a/wpa_supplicant/gas_query.c
+++ b/wpa_supplicant/gas_query.c
@@ -774,6 +774,7 @@ int gas_query_req(struct gas_query *gas, const u8 *dst, int freq,
 
 	if (radio_add_work(gas->wpa_s, freq, "gas-query", 0, gas_query_start_cb,
 			   query) < 0) {
+		query->req = NULL; /* caller will free this in error case */
 		gas_query_free(query, 1);
 		return -1;
 	}