From: Benjamin Berg <benjamin.berg@intel.com>
Date: Tue, 18 Mar 2025 10:19:55 +0000 (+0100)
Subject: nl80211: Fix use after free of bss in MLD link removal
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cb8d3013e24dec4128f640e2046d2514e43d612;p=thirdparty%2Fhostap.git

nl80211: Fix use after free of bss in MLD link removal

This was reported by ASAN, the bss variable was just freed a bit
earlier.

Fixes: c6ff28cb63a5 ("AP MLD: Handle garbage pointer after MLD interface is deleted")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
---

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 024eae7ee..1ba8f1f33 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -10975,6 +10975,8 @@ static int driver_nl80211_link_remove(void *priv, enum wpa_driver_if_type type,
 		drv->ctx = bss->ctx;
 
 	if (!bss->valid_links) {
+		void *ctx = bss->ctx;
+
 		wpa_printf(MSG_DEBUG,
 			   "nl80211: No more links remaining, so remove interface");
 		ret = wpa_driver_nl80211_if_remove(bss, type, ifname);
@@ -10982,7 +10984,7 @@ static int driver_nl80211_link_remove(void *priv, enum wpa_driver_if_type type,
 			return ret;
 
 		/* Notify that the MLD interface is removed */
-		wpa_supplicant_event(bss->ctx, EVENT_MLD_INTERFACE_FREED, NULL);
+		wpa_supplicant_event(ctx, EVENT_MLD_INTERFACE_FREED, NULL);
 	}
 
 	return 0;