From 2e122945fa533d90c9c49b21896d0a12f6fb2f1a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 19 Oct 2021 00:23:09 +0300 Subject: [PATCH] DPP2: Do not try to remove Controller TCP connection twice on error These code paths on the Controller were calling dpp_connection_remove() twice for the same connection in the error cases. That would result in double-freeing of the memory, so fix this by remove the dpp_connection_remove() call from the called function and instead, remove the connection in dpp_controller_rx() error handling. Signed-off-by: Jouni Malinen --- src/common/dpp_tcp.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/common/dpp_tcp.c b/src/common/dpp_tcp.c index 103eda272..fb8ef1c5b 100644 --- a/src/common/dpp_tcp.c +++ b/src/common/dpp_tcp.c @@ -671,10 +671,8 @@ static int dpp_controller_rx_auth_req(struct dpp_connection *conn, } if (dpp_set_configurator(conn->auth, - conn->ctrl->configurator_params) < 0) { - dpp_connection_remove(conn); + conn->ctrl->configurator_params) < 0) return -1; - } return dpp_tcp_send_msg(conn, conn->auth->resp_msg); } @@ -700,7 +698,6 @@ static int dpp_controller_rx_auth_resp(struct dpp_connection *conn, return 0; } wpa_printf(MSG_DEBUG, "DPP: No confirm generated"); - dpp_connection_remove(conn); return -1; } @@ -862,7 +859,6 @@ static int dpp_controller_rx_presence_announcement(struct dpp_connection *conn, return -1; if (dpp_set_configurator(auth, conn->ctrl->configurator_params) < 0) { dpp_auth_deinit(auth); - dpp_connection_remove(conn); return -1; } -- 2.47.2