hostapd: fix use after free bugs
authorDavid Bauer <mail@david-bauer.net>
Wed, 17 Nov 2021 20:46:11 +0000 (21:46 +0100)
committerDavid Bauer <mail@david-bauer.net>
Fri, 19 Nov 2021 20:58:12 +0000 (21:58 +0100)
Using a pointer one lifter after it freed is not the best idea.
Let's not do that.

Signed-off-by: David Bauer <mail@david-bauer.net>
package/network/services/hostapd/patches/600-ubus_support.patch

index ccf66be6b82c3e4fd50ed8b26d24dc7fafe37de2..b7f156bceb401c6c69f823693517d40328bce8f3 100644 (file)
                wpabuf_free(sta->p2p_ie);
 --- a/src/ap/sta_info.c
 +++ b/src/ap/sta_info.c
-@@ -459,6 +459,7 @@ void ap_handle_timer(void *eloop_ctx, vo
+@@ -458,6 +458,7 @@ void ap_handle_timer(void *eloop_ctx, vo
+               hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
                               HOSTAPD_LEVEL_INFO, "deauthenticated due to "
                               "local deauth request");
-               ap_free_sta(hapd, sta);
 +              hostapd_ubus_notify(hapd, "local-deauth", sta->addr);
+               ap_free_sta(hapd, sta);
                return;
        }
-@@ -614,6 +615,7 @@ skip_poll:
+@@ -613,6 +614,7 @@ skip_poll:
+               mlme_deauthenticate_indication(
                        hapd, sta,
                        WLAN_REASON_PREV_AUTH_NOT_VALID);
-               ap_free_sta(hapd, sta);
 +              hostapd_ubus_notify(hapd, "inactive-deauth", sta->addr);
+               ap_free_sta(hapd, sta);
                break;
        }
- }
 @@ -1329,6 +1331,7 @@ void ap_sta_set_authorized(struct hostap
                                          buf, ip_addr, keyid_buf);
        } else {