wifi: mac80211: fix use-after-free

[ Upstream commit 40fb87129049ec5876dabf4a4d4aed6642b31f1a ]

We've already freed the assoc_data at this point, so need
to use another copy of the AP (MLD) address instead.

Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index fc764984d687f86e93baeec1ec4487b6e6e536f6..1e9cb4be6ed3df7d279879bda53026fb6bf22739 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -5122,7 +5122,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
        resp.req_ies = ifmgd->assoc_req_ies;
        resp.req_ies_len = ifmgd->assoc_req_ies_len;
        if (sdata->vif.valid_links)
-               resp.ap_mld_addr = assoc_data->ap_addr;
+               resp.ap_mld_addr = sdata->vif.cfg.ap_addr;
        cfg80211_rx_assoc_resp(sdata->dev, &resp);
 notify_driver:
        drv_mgd_complete_tx(sdata->local, sdata, &info);