hostapd: get reference to object before removal

`ucv_array_set` releases the array's reference to the object being cleared.
If this is the last reference to the object, it will be freed, making our
pointer `val` invalid.

To avoid this, we need to obtain our own reference to the object so we
can safely return `val`.

Signed-off-by: Matthew Cather <mattbob4@gmail.com>

diff --git a/package/network/services/hostapd/src/src/ap/ucode.c b/package/network/services/hostapd/src/src/ap/ucode.c
index 74e5558626dd50fe84631e4fe4d87ebeeba1b3f8..a865a292e134a4f2de66c7e4163cac4ca9dd85f7 100644 (file)
--- a/package/network/services/hostapd/src/src/ap/ucode.c
+++ b/package/network/services/hostapd/src/src/ap/ucode.c
@@ -916,7 +916,7 @@ void hostapd_ucode_free(void)
 
 void hostapd_ucode_free_iface(struct hostapd_iface *iface)
 {
-       wpa_ucode_registry_remove(iface_registry, iface->ucode.idx);
+       ucv_put(wpa_ucode_registry_remove(iface_registry, iface->ucode.idx));
 }
 
 void hostapd_ucode_bss_cb(struct hostapd_data *hapd, const char *type)
@@ -950,6 +950,8 @@ void hostapd_ucode_free_bss(struct hostapd_data *hapd)
        uc_value_push(ucv_string_new(hapd->conf->iface));
        uc_value_push(ucv_get(val));
        ucv_put(wpa_ucode_call(2));
+
+       ucv_put(val);
        ucv_gc(vm);
 }
 

diff --git a/package/network/services/hostapd/src/src/utils/ucode.c b/package/network/services/hostapd/src/src/utils/ucode.c
index c5b7e39a0ef4530b949cdb80692734c681e69469..a7cc2c7059cce8f6e843ebcad662e425263a0d23 100644 (file)
--- a/package/network/services/hostapd/src/src/utils/ucode.c
+++ b/package/network/services/hostapd/src/src/utils/ucode.c
@@ -471,6 +471,7 @@ uc_value_t *wpa_ucode_registry_remove(uc_value_t *reg, int idx)
        if (!val)
                return NULL;
 
+       ucv_get(val);
        ucv_array_set(reg, idx - 1, NULL);
        dataptr = ucv_resource_dataptr(val, NULL);
        if (dataptr)

diff --git a/package/network/services/hostapd/src/wpa_supplicant/ucode.c b/package/network/services/hostapd/src/wpa_supplicant/ucode.c
index 506bde45c93d06ae397c7d7acd4ddb9815d09e4d..8335a27e892b88ad9226fefe9a87739e0eccae3d 100644 (file)
--- a/package/network/services/hostapd/src/wpa_supplicant/ucode.c
+++ b/package/network/services/hostapd/src/wpa_supplicant/ucode.c
@@ -70,6 +70,7 @@ void wpas_ucode_free_bss(struct wpa_supplicant *wpa_s)
        uc_value_push(ucv_string_new(wpa_s->ifname));
        uc_value_push(ucv_get(val));
        ucv_put(wpa_ucode_call(2));
+       ucv_put(val);
        ucv_gc(vm);
 }