On Wed, Dec 18, 2024 at 07:50:18AM +0000, Petr Štetiar wrote: > Currently when the iface is being cleaned up, the > hostapd_free_hw_features() is called which frees the underlying > hw_features and the struct is being NULLed, but the num_hw_features > counter is not being reset, thus following commonly used access > constructs: > > for (i = 0; i < iface->num_hw_features; i++) > acs_cleanup_mode(&iface->hw_features[i]); > > This might then lead to use after free and hostapd for example might > crash during configuration reload on disabled interfaces: > > $ hostapd -ddt /tmp/wlan2_hapd.conf & > $ hostapd_cli -i wlan2 raw DISABLE > > Fri Oct 4 20:44:04 2024 1728074644.706408: wlan2: AP-DISABLED > > $ kill -SIGHUP $(pidof hostapd) > Segmentation fault (core dumped) hostapd -ddt /tmp/wlan2_hapd.conf > > So lets fix it by resetting the num_hw_features counter to 0, so the > code will not try to access the freed memory in hw_features struct. Thanks, applied. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap