From: Pradeep Reddy Potteti <c_ppotte@qti.qualcomm.com>
Date: Fri, 28 Apr 2017 10:52:08 +0000 (+0530)
Subject: MBO: Fix possible NULL pointer dereference on candidate handling
X-Git-Tag: hostap_2_7~1350
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2a04874cfbc8541f6ede34c16333aac4e4671cb;p=thirdparty%2Fhostap.git

MBO: Fix possible NULL pointer dereference on candidate handling

If the driver provides input on MBO transition candidate handling, the
target value in get_mbo_transition_candidate() can be NULL if the driver
provided BSSID is not found in the wpa_supplicant BSS table. And later
it would be dereferenced. Fix this by adding an explicit check before
dereferencing the pointer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index f17a8dc83..7339ed26d 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -581,8 +581,9 @@ get_mbo_transition_candidate(struct wpa_supplicant *wpa_s,
 		for (i = 0; i < info->num; i++) {
 			target = wpa_bss_get_bssid(wpa_s,
 						   info->candidates[i].bssid);
-			if (target->level <
-			    wpa_s->conf->disassoc_imminent_rssi_threshold)
+			if (target &&
+			    (target->level <
+			     wpa_s->conf->disassoc_imminent_rssi_threshold))
 				continue;
 			goto end;
 		}