From: Jouni Malinen <j@w1.fi>
Date: Sat, 31 May 2014 14:11:04 +0000 (+0300)
Subject: hostapd: Make sure hapd->drv_priv gets cleared on driver deinit
X-Git-Tag: hostap_2_2~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d92bdf96028e4f3ed115d5e1055be7061923f7f4;p=thirdparty%2Fhostap.git

hostapd: Make sure hapd->drv_priv gets cleared on driver deinit

Couple of code paths in hostapd.c could have left hapd->drv_priv
pointing to memory that was freed in driver_nl80211.c when a secondary
BSS interface is removed. This could result in use of freed memory and
segfault when the next driver operation (likely during interface
deinit/removal). Fix this by clearing hapd->drv_priv when there is
reason to believe that the old value is not valid within the driver
wrapper anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index a4467cf0b..ed7330193 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -284,6 +284,13 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd)
 				   "Failed to remove BSS interface %s",
 				   hapd->conf->iface);
 			hapd->interface_added = 1;
+		} else {
+			/*
+			 * Since this was a dynamically added interface, the
+			 * driver wrapper may have removed its internal instance
+			 * and hapd->drv_priv is not valid anymore.
+			 */
+			hapd->drv_priv = NULL;
 		}
 	}
 
@@ -1617,8 +1624,10 @@ void hostapd_interface_deinit_free(struct hostapd_iface *iface)
 	hostapd_interface_deinit(iface);
 	wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
 		   __func__, driver, drv_priv);
-	if (driver && driver->hapd_deinit && drv_priv)
+	if (driver && driver->hapd_deinit && drv_priv) {
 		driver->hapd_deinit(drv_priv);
+		iface->bss[0]->drv_priv = NULL;
+	}
 	hostapd_interface_free(iface);
 }