From 47a65ccbfde21f24f28a88b378d6266e6c448949 Mon Sep 17 00:00:00 2001 From: Xin Deng Date: Mon, 10 Jul 2023 23:18:38 -0700 Subject: [PATCH] P2P: Clean wpa_s->last_ssid when removing a temporary group network wpa_supplicant could crash due to dereferencing freed memory in a corner case. When a reestablished P2P GO group gets removed because the hardware mode is not supported when switching from 2.4 to 5 GHz. Group removal in wpas_p2p_group_delete() forget to clean wpa_s->last_ssid due to the missing wpas_notify_network_removed() call before removing the network with wpa_config_remove_network(). That could cause a crash when flushing old BSSs which age out in wpa_bss_flush_by_age() which uses wpa_s->last_ssid in some cases. Fix this by invoking wpas_notify_network_removed() to clean wpa_s->last_ssid when removing a temporary P2P group network. Signed-off-by: Jouni Malinen --- wpa_supplicant/p2p_supplicant.c | 1 + 1 file changed, 1 insertion(+) diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c index aa4ce0964..9c6e24d6f 100644 --- a/wpa_supplicant/p2p_supplicant.c +++ b/wpa_supplicant/p2p_supplicant.c @@ -1085,6 +1085,7 @@ static int wpas_p2p_group_delete(struct wpa_supplicant *wpa_s, * Likewise, we don't send out network removed signals for such * network objects. */ + wpas_notify_network_removed(wpa_s, ssid); wpa_config_remove_network(wpa_s->conf, id); wpa_supplicant_clear_status(wpa_s); wpa_supplicant_cancel_sched_scan(wpa_s); -- 2.47.2