From: Jouni Malinen <jouni@codeaurora.org>
Date: Fri, 26 Apr 2019 13:15:15 +0000 (+0300)
Subject: Clear cached extended_capa pointers on hapd_deinit() call
X-Git-Tag: hostap_2_9~326
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9058266f01162cdc0720a0682d4f89e44cf054b;p=thirdparty%2Fhostap.git

Clear cached extended_capa pointers on hapd_deinit() call

driver->hapd_deinit() is going to free the memory that the cached
pointers are pointing to, so clear the pointers to avoid possibility of
dereferencing used memory. It seemed to be possible to hit a code path
using those fields by issuing a CHAN_SWITCH command on disabled hostapd
interface in some cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 20c8e8f5a..0bd689238 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -2486,8 +2486,12 @@ static void hostapd_deinit_driver(const struct wpa_driver_ops *driver,
 			wpa_printf(MSG_DEBUG, "%s:bss[%d]->drv_priv=%p",
 				   __func__, (int) j,
 				   hapd_iface->bss[j]->drv_priv);
-			if (hapd_iface->bss[j]->drv_priv == drv_priv)
+			if (hapd_iface->bss[j]->drv_priv == drv_priv) {
 				hapd_iface->bss[j]->drv_priv = NULL;
+				hapd_iface->extended_capa = NULL;
+				hapd_iface->extended_capa_mask = NULL;
+				hapd_iface->extended_capa_len = 0;
+			}
 		}
 	}
 }