From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 19 Aug 2016 13:29:22 +0000 (+0300)
Subject: Initialize hapd->nr_db in hostapd_alloc_bss_data()
X-Git-Tag: hostap_2_6~104
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2f8616e806f90afed0e308a85088df4d4a9f349;p=thirdparty%2Fhostap.git

Initialize hapd->nr_db in hostapd_alloc_bss_data()

Previously, this was initialized in hostapd_setup_bss() which made it
possible for a REMOVE_NEIGHBOR control interface command to be issued
prior to the list head pointers having been set. That resulted in a NULL
pointer dereference. Fix this by initializing the list head at the time
the data structure gets allocated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 65f513d1a..a09d4232a 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -912,7 +912,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
 		return -1;
 	}
 	hapd->started = 1;
-	dl_list_init(&hapd->nr_db);
 
 	if (!first || first == -1) {
 		u8 *addr = hapd->own_addr;
@@ -2002,6 +2001,7 @@ hostapd_alloc_bss_data(struct hostapd_iface *hapd_iface,
 	hapd->driver = hapd->iconf->driver;
 	hapd->ctrl_sock = -1;
 	dl_list_init(&hapd->ctrl_dst);
+	dl_list_init(&hapd->nr_db);
 
 	return hapd;
 }
diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index 741670beb..d67d3b2aa 100644
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -178,6 +178,7 @@ static int wpa_supplicant_mesh_init(struct wpa_supplicant *wpa_s,
 	ifmsh->bss[0] = bss = os_zalloc(sizeof(struct hostapd_data));
 	if (!bss)
 		goto out_free;
+	dl_list_init(&bss->nr_db);
 
 	os_memcpy(bss->own_addr, wpa_s->own_addr, ETH_ALEN);
 	bss->driver = wpa_s->driver;