From 1c83b67efd5cac9d6f6cb46cfa4ba3caef2c9612 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 3 Jan 2010 01:25:43 +0200 Subject: [PATCH] Fix memory corruption on BSS entry reallocation The wpa_s->bss_id list was being corrupted when the BSS entry needed to be reallocated due to longer IE data. The entry has to be removed from all lists before reallocation to avoid this (it was only removed from the wpa_s->bss list). --- wpa_supplicant/bss.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c index 62086a4eb..6446c058f 100644 --- a/wpa_supplicant/bss.c +++ b/wpa_supplicant/bss.c @@ -148,12 +148,15 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, bss->ie_len = res->ie_len; } else { struct wpa_bss *nbss; + struct dl_list *prev = bss->list_id.prev; + dl_list_del(&bss->list_id); nbss = os_realloc(bss, sizeof(*bss) + res->ie_len); if (nbss) { bss = nbss; os_memcpy(bss + 1, res + 1, res->ie_len); bss->ie_len = res->ie_len; } + dl_list_add(prev, &bss->list_id); } dl_list_add_tail(&wpa_s->bss, &bss->list); }