From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 7 Apr 2014 10:35:18 +0000 (+0300)
Subject: WNM: Fix deinit path to clean neighbor report count
X-Git-Tag: hostap_2_2~351
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec331d09a29c6b0dd5c59123688cd55f6dcdc31a;p=thirdparty%2Fhostap.git

WNM: Fix deinit path to clean neighbor report count

wnm_deallocate_memory() left wnm_num_neighbor_report set while freeing
the allocated buffer of neighbor reports. If this function was called
twice in a row without having went through new neighbor report parsing,
invalid pointers could have been freed resulted in segfault.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 952db0ac0..1ca4c71fa 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -319,6 +319,7 @@ void wnm_deallocate_memory(struct wpa_supplicant *wpa_s)
 		os_free(wpa_s->wnm_neighbor_report_elements[i].mul_bssid);
 	}
 
+	wpa_s->wnm_num_neighbor_report = 0;
 	os_free(wpa_s->wnm_neighbor_report_elements);
 	wpa_s->wnm_neighbor_report_elements = NULL;
 }