On Tue, May 29, 2018 at 02:39:05PM -0700, peter.oh@xxxxxxxxxxxxxxxxx wrote:
> mesh join function consitss of 2 parts which are preparing
> configurations and sending join event to driver.
> Since physical mesh join event could happen either right
> after mesh configuration is done or after CAC is done
> in case of DFS channel is used, factor out the function
> into 2 parts to reduce redundant calls.
This leaks memory:
> +void wpas_join_mesh(struct wpa_supplicant *wpa_s)
> +{
> + struct wpa_driver_mesh_join_params *params = wpa_s->mesh_params;
Nothing frees wpa_s->mesh_params here or anywhere else. This needs to
get freed somewhere both in success and failure cases.
> int wpa_supplicant_join_mesh(struct wpa_supplicant *wpa_s,
> struct wpa_ssid *ssid)
> {
> - struct wpa_driver_mesh_join_params params;
> + struct wpa_driver_mesh_join_params *params =
> + os_zalloc(sizeof(struct wpa_driver_mesh_join_params));
This is where the allocation happens.
> - if (wpa_supplicant_mesh_init(wpa_s, ssid, ¶ms.freq)) {
> + wpa_s->mesh_params = params;
> + if (wpa_supplicant_mesh_init(wpa_s, ssid, ¶ms->freq)) {
And this sets wpa_s->mesh_params overriding the previous (potentially
unfreed) pointer.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
