From: Xin Deng <quic_deng@quicinc.com>
Date: Tue, 11 Jul 2023 06:18:38 +0000 (-0700)
Subject: P2P: Clean wpa_s->last_ssid when removing a temporary group network
X-Git-Tag: hostap_2_11~1040
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47a65ccbfde21f24f28a88b378d6266e6c448949;p=thirdparty%2Fhostap.git

P2P: Clean wpa_s->last_ssid when removing a temporary group network

wpa_supplicant could crash due to dereferencing freed memory in a corner
case. When a reestablished P2P GO group gets removed because the
hardware mode is not supported when switching from 2.4 to 5 GHz. Group
removal in wpas_p2p_group_delete() forget to clean wpa_s->last_ssid due
to the missing wpas_notify_network_removed() call before removing the
network with wpa_config_remove_network().

That could cause a crash when flushing old BSSs which age out in
wpa_bss_flush_by_age() which uses wpa_s->last_ssid in some cases.

Fix this by invoking wpas_notify_network_removed() to clean
wpa_s->last_ssid when removing a temporary P2P group network.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index aa4ce0964..9c6e24d6f 100644
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -1085,6 +1085,7 @@ static int wpas_p2p_group_delete(struct wpa_supplicant *wpa_s,
 		 * Likewise, we don't send out network removed signals for such
 		 * network objects.
 		 */
+		wpas_notify_network_removed(wpa_s, ssid);
 		wpa_config_remove_network(wpa_s->conf, id);
 		wpa_supplicant_clear_status(wpa_s);
 		wpa_supplicant_cancel_sched_scan(wpa_s);