From: Ramasamy Kaliappan <ramasamy.kaliappan@oss.qualcomm.com>
Date: Fri, 27 Jun 2025 13:24:08 +0000 (+0530)
Subject: AP MLD: Deinitt BSS link if starting beaconing fails
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6a6a33799c441cc0de68b8fc327d4dde64581f4;p=thirdparty%2Fhostap.git

AP MLD: Deinitt BSS link if starting beaconing fails

In the current implementation, when hostapd_start_beacon() fails during
AP MLD setup, it flushes old station entries, deauthentcates all
stations, and frees hapd data. However, it does not unlink the
associated BSS from the AP MLD structure.

While performing wifi stability testing during interface down/up, this
retains a stale reference to the freed BSS. Subsequent attempts to
access MLD links post-failure lead to a segmentation fault due to this
use-after-free condition.

Fix this by unlinking the BSS from the AP MLD on failure paths to
prevent potential use-after-free scenarios.

Signed-off-by: Ramasamy Kaliappan <ramasamy.kaliappan@oss.qualcomm.com>
---

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 6c4513615..f2f0c2949 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -2668,6 +2668,7 @@ static int hostapd_setup_interface_complete_sync(struct hostapd_iface *iface,
 			for (;;) {
 				hapd = iface->bss[j];
 				hostapd_bss_deinit_no_free(hapd);
+				hostapd_bss_link_deinit(hapd);
 				hostapd_free_hapd_data(hapd);
 				if (j == 0)
 					break;
@@ -2686,6 +2687,7 @@ static int hostapd_setup_interface_complete_sync(struct hostapd_iface *iface,
 				for (;;) {
 					hapd = iface->bss[j];
 					hostapd_bss_deinit_no_free(hapd);
+					hostapd_bss_link_deinit(hapd);
 					hostapd_free_hapd_data(hapd);
 					if (j == 0)
 						break;