[PATCH] Fix using invalid memory during driver deinit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We recorded the address of hapd_iface->bss[0]->drv_priv before calling
hostapd_free_hapd_data function and passed it to the
hostapd_deinit_driver function after the call.
However, the hostapd_free_hapd_data function may free the hapd->drv_priv
memory, which could lead to the hostapd_deinit_driver using an invalid
memory address that has already been freed.

Signed-off-by: Ming Kuang <ming@xxxxxxxxxxx>
---
 src/ap/hostapd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 7d924893f..6c3bcdb78 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -3627,8 +3627,6 @@ int hostapd_disable_iface(struct hostapd_iface *hapd_iface)
 	}
 
 	wpa_msg(hapd_iface->bss[0]->msg_ctx, MSG_INFO, AP_EVENT_DISABLED);
-	driver = hapd_iface->bss[0]->driver;
-	drv_priv = hapd_iface->bss[0]->drv_priv;
 
 	hapd_iface->driver_ap_teardown =
 		!!(hapd_iface->drv_flags &
@@ -3647,6 +3645,8 @@ int hostapd_disable_iface(struct hostapd_iface *hapd_iface)
 		hostapd_free_hapd_data(hapd);
 	}
 
+	driver = hapd_iface->bss[0]->driver;
+	drv_priv = hapd_iface->bss[0]->drv_priv;
 	hostapd_deinit_driver(driver, drv_priv, hapd_iface);
 
 	/* From hostapd_cleanup_iface: These were initialized in
-- 
2.39.5


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux