From: Petr Štetiar <petr.stetiar@xxxxxxxxxxxxxxxxxx> Currently when the iface is being cleaned up, the hostapd_free_hw_features() is called which frees the underlying hw_features and the struct is being NULLed, but the num_hw_features counter is not being reset, thus following commonly used access constructs: for (i = 0; i < iface->num_hw_features; i++) acs_cleanup_mode(&iface->hw_features[i]); This might then lead to use after free and hostapd for example might crash during configuration reload on disabled interfaces: $ hostapd -ddt /tmp/wlan2_hapd.conf & $ hostapd_cli -i wlan2 raw DISABLE Fri Oct 4 20:44:04 2024 1728074644.706408: wlan2: AP-DISABLED $ kill -SIGHUP $(pidof hostapd) Segmentation fault (core dumped) hostapd -ddt /tmp/wlan2_hapd.conf So lets fix it by resetting the num_hw_features counter to 0, so the code will not try to access the freed memory in hw_features struct. Reported-by: Mohammed SI ALI <mohammed.siali@xxxxxxxxxxxxxx> Tested-by: Houssem Dafdouf <houssem.dafdouf_ext@xxxxxxxxxxxxxx> Signed-off-by: Petr Štetiar <ynezz@xxxxxxx> Signed-off-by: Petr Štetiar <petr.stetiar@xxxxxxxxxxxxxxxxxx> --- src/ap/hostapd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 9dfc21e00f3e..f3945f868f5e 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -710,6 +710,7 @@ void hostapd_cleanup_iface_partial(struct hostapd_iface *iface) acs_cleanup(iface); hostapd_free_hw_features(iface->hw_features, iface->num_hw_features); iface->hw_features = NULL; + iface->num_hw_features = 0; iface->current_mode = NULL; os_free(iface->current_rates); iface->current_rates = NULL; _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap