From: Eliad Peller <eliad@wizery.com>
Date: Mon, 5 Mar 2012 15:09:55 +0000 (+0200)
Subject: BSS: Fix use-after-realloc
X-Git-Tag: hostap_2_0~801
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eb37e085a4c17a7ebdf258d480c5f2c8a2ac7f08;p=thirdparty%2Fhostap.git

BSS: Fix use-after-realloc

After reallocation of the bss struct, current_bss wasn't updated and
could hold an invalid pointer (which might get dereferenced later).

Update current_bss if the pointer was changed.

Signed-hostap: Eliad Peller <eliad@wizery.com>
intended-for: hostap-1
---

diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 2a5bb852a..b79510e40 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -328,6 +328,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
 		nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
 				  res->beacon_ie_len);
 		if (nbss) {
+			if (wpa_s->current_bss == bss)
+				wpa_s->current_bss = nbss;
 			bss = nbss;
 			os_memcpy(bss + 1, res + 1,
 				  res->ie_len + res->beacon_ie_len);