Re: [PATCH] hostapd: hostapd_cleanup_iface_partial: fix hw_features use after free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 18, 2024 at 07:50:18AM +0000, Petr Štetiar wrote:
> Currently when the iface is being cleaned up, the
> hostapd_free_hw_features() is called which frees the underlying
> hw_features and the struct is being NULLed, but the num_hw_features
> counter is not being reset, thus following commonly used access
> constructs:
> 
>    for (i = 0; i < iface->num_hw_features; i++)
>             acs_cleanup_mode(&iface->hw_features[i]);
> 
> This might then lead to use after free and hostapd for example might
> crash during configuration reload on disabled interfaces:
> 
>   $ hostapd -ddt /tmp/wlan2_hapd.conf &
>   $ hostapd_cli -i wlan2 raw DISABLE
> 
>   Fri Oct  4 20:44:04 2024 1728074644.706408: wlan2: AP-DISABLED
> 
>   $ kill -SIGHUP $(pidof hostapd)
>   Segmentation fault (core dumped) hostapd -ddt /tmp/wlan2_hapd.conf
> 
> So lets fix it by resetting the num_hw_features counter to 0, so the
> code will not try to access the freed memory in hw_features struct.

Thanks, applied.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap




[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux