From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 16 May 2016 16:04:54 +0000 (+0300)
Subject: Fix external radio work debug printing on removal
X-Git-Tag: hostap_2_6~484
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7d1007a6740a49b6e6bb0e91808ebb8fc9d5789d;p=thirdparty%2Fhostap.git

Fix external radio work debug printing on removal

work->type was pointing to the allocated work->ctx buffer and the debug
print in radio_work_free() ended up using freed memory if a started
external radio work was removed as part of FLUSH command operations. Fix
this by updating work->type to point to a constant string in case the
dynamic version gets freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 05e28e9c4..ea8ceccb8 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -7268,6 +7268,13 @@ static void wpas_ctrl_radio_work_cb(struct wpa_radio_work *work, int deinit)
 			eloop_cancel_timeout(wpas_ctrl_radio_work_timeout,
 					     work, NULL);
 
+		/*
+		 * work->type points to a buffer in ework, so need to replace
+		 * that here with a fixed string to avoid use of freed memory
+		 * in debug prints.
+		 */
+		work->type = "freed-ext-work";
+		work->ctx = NULL;
 		os_free(ework);
 		return;
 	}