[PATCH] Fix a compiler warning on use-after-free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Chien Wong <m@xxxxxxxx>
Date: Sun, 6 Aug 2023 23:17:47 +0800
Subject: [PATCH] Fix a compiler warning on use-after-free

Fix the warning given by GCC 13.2.1:
bss.c: In function ‘wpa_bss_update’:
bss.c:741:25: warning: pointer ‘bss’ may be used after ‘realloc’ [-Wuse-after-free] 
  741 | wpa_bss_update_pending_connect(wpa_s, bss, nbss);

The warning is a false positive. GCC cannot figure out that
wpa_bss_update_pending_connect() does not access bss thus gives the warning.
Indeed, no invalid access is occured here. Fixed by keeping pointer bss
valid until freed. As a general rule, references should be cleared as
soon as object is freed. All calls to os_realloc() were checked: they
all follow the pattern that old reference is updated almost immediately
after realloc.

Signed-off-by: Chien Wong <m@xxxxxxxx>
---
 wpa_supplicant/bss.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 320441426..3eafd5764 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -726,10 +726,12 @@ wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, 
         struct wpa_bss *nbss;
         struct dl_list *prev = bss->list_id.prev;
         dl_list_del(&bss->list_id);
-        nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
-                  res->beacon_ie_len);
+        nbss = os_malloc(sizeof(*bss) + res->ie_len +
+                 res->beacon_ie_len);
         if (nbss) {
             unsigned int i;
+            os_memcpy(nbss, bss, sizeof(*bss) + bss->ie_len +
+                  bss->beacon_ie_len);
             for (i = 0; i < wpa_s->last_scan_res_used; i++) {
                 if (wpa_s->last_scan_res[i] == bss) {
                     wpa_s->last_scan_res[i] = nbss;
@@ -739,6 +741,7 @@ wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, 
             if (wpa_s->current_bss == bss)
                 wpa_s->current_bss = nbss;
             wpa_bss_update_pending_connect(wpa_s, bss, nbss);
+            os_free(bss);
             bss = nbss;
             os_memcpy(bss->ies, res + 1,
                   res->ie_len + res->beacon_ie_len);
--
2.41.0

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux