From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 18 Oct 2021 21:23:09 +0000 (+0300)
Subject: DPP2: Do not try to remove Controller TCP connection twice on error
X-Git-Tag: hostap_2_10~122
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e122945fa533d90c9c49b21896d0a12f6fb2f1a;p=thirdparty%2Fhostap.git

DPP2: Do not try to remove Controller TCP connection twice on error

These code paths on the Controller were calling dpp_connection_remove()
twice for the same connection in the error cases. That would result in
double-freeing of the memory, so fix this by remove the
dpp_connection_remove() call from the called function and instead,
remove the connection in dpp_controller_rx() error handling.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/common/dpp_tcp.c b/src/common/dpp_tcp.c
index 103eda272..fb8ef1c5b 100644
--- a/src/common/dpp_tcp.c
+++ b/src/common/dpp_tcp.c
@@ -671,10 +671,8 @@ static int dpp_controller_rx_auth_req(struct dpp_connection *conn,
 	}
 
 	if (dpp_set_configurator(conn->auth,
-				 conn->ctrl->configurator_params) < 0) {
-		dpp_connection_remove(conn);
+				 conn->ctrl->configurator_params) < 0)
 		return -1;
-	}
 
 	return dpp_tcp_send_msg(conn, conn->auth->resp_msg);
 }
@@ -700,7 +698,6 @@ static int dpp_controller_rx_auth_resp(struct dpp_connection *conn,
 			return 0;
 		}
 		wpa_printf(MSG_DEBUG, "DPP: No confirm generated");
-		dpp_connection_remove(conn);
 		return -1;
 	}
 
@@ -862,7 +859,6 @@ static int dpp_controller_rx_presence_announcement(struct dpp_connection *conn,
 		return -1;
 	if (dpp_set_configurator(auth, conn->ctrl->configurator_params) < 0) {
 		dpp_auth_deinit(auth);
-		dpp_connection_remove(conn);
 		return -1;
 	}