mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-17 18:34:03 -05:00
ACS: Fix number of error path issues
Especially when multiple BSSes are used with ACS, number of the error paths were not cleaning up driver initialization properly. This could result in using freed memory and crashing the process if ACS failed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
09e38c2fce
commit
4d1e38be9e
@ -749,7 +749,7 @@ static void acs_scan_complete(struct hostapd_iface *iface)
|
|||||||
err = hostapd_drv_get_survey(iface->bss[0], 0);
|
err = hostapd_drv_get_survey(iface->bss[0], 0);
|
||||||
if (err) {
|
if (err) {
|
||||||
wpa_printf(MSG_ERROR, "ACS: Failed to get survey data");
|
wpa_printf(MSG_ERROR, "ACS: Failed to get survey data");
|
||||||
acs_fail(iface);
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (++iface->acs_num_completed_scans < iface->conf->acs_num_scans) {
|
if (++iface->acs_num_completed_scans < iface->conf->acs_num_scans) {
|
||||||
@ -801,6 +801,7 @@ static int acs_request_scan(struct hostapd_iface *iface)
|
|||||||
if (hostapd_driver_scan(iface->bss[0], ¶ms) < 0) {
|
if (hostapd_driver_scan(iface->bss[0], ¶ms) < 0) {
|
||||||
wpa_printf(MSG_ERROR, "ACS: Failed to request initial scan");
|
wpa_printf(MSG_ERROR, "ACS: Failed to request initial scan");
|
||||||
acs_cleanup(iface);
|
acs_cleanup(iface);
|
||||||
|
os_free(params.freqs);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1591,6 +1591,27 @@ void hostapd_interface_deinit_free(struct hostapd_iface *iface)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void hostapd_deinit_driver(const struct wpa_driver_ops *driver,
|
||||||
|
void *drv_priv,
|
||||||
|
struct hostapd_iface *hapd_iface)
|
||||||
|
{
|
||||||
|
size_t j;
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
|
||||||
|
__func__, driver, drv_priv);
|
||||||
|
if (driver && driver->hapd_deinit && drv_priv) {
|
||||||
|
driver->hapd_deinit(drv_priv);
|
||||||
|
for (j = 0; j < hapd_iface->num_bss; j++) {
|
||||||
|
wpa_printf(MSG_DEBUG, "%s:bss[%d]->drv_priv=%p",
|
||||||
|
__func__, (int) j,
|
||||||
|
hapd_iface->bss[j]->drv_priv);
|
||||||
|
if (hapd_iface->bss[j]->drv_priv == drv_priv)
|
||||||
|
hapd_iface->bss[j]->drv_priv = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int hostapd_enable_iface(struct hostapd_iface *hapd_iface)
|
int hostapd_enable_iface(struct hostapd_iface *hapd_iface)
|
||||||
{
|
{
|
||||||
if (hapd_iface->bss[0]->drv_priv != NULL) {
|
if (hapd_iface->bss[0]->drv_priv != NULL) {
|
||||||
@ -1613,17 +1634,9 @@ int hostapd_enable_iface(struct hostapd_iface *hapd_iface)
|
|||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (hostapd_setup_interface(hapd_iface)) {
|
if (hostapd_setup_interface(hapd_iface)) {
|
||||||
const struct wpa_driver_ops *driver;
|
hostapd_deinit_driver(hapd_iface->bss[0]->driver,
|
||||||
void *drv_priv;
|
hapd_iface->bss[0]->drv_priv,
|
||||||
|
hapd_iface);
|
||||||
driver = hapd_iface->bss[0]->driver;
|
|
||||||
drv_priv = hapd_iface->bss[0]->drv_priv;
|
|
||||||
wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
|
|
||||||
__func__, driver, drv_priv);
|
|
||||||
if (driver && driver->hapd_deinit && drv_priv) {
|
|
||||||
driver->hapd_deinit(drv_priv);
|
|
||||||
hapd_iface->bss[0]->drv_priv = NULL;
|
|
||||||
}
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1676,12 +1689,7 @@ int hostapd_disable_iface(struct hostapd_iface *hapd_iface)
|
|||||||
hostapd_free_hapd_data(hapd);
|
hostapd_free_hapd_data(hapd);
|
||||||
}
|
}
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
|
hostapd_deinit_driver(driver, drv_priv, hapd_iface);
|
||||||
__func__, driver, drv_priv);
|
|
||||||
if (driver && driver->hapd_deinit && drv_priv) {
|
|
||||||
driver->hapd_deinit(drv_priv);
|
|
||||||
hapd_iface->bss[0]->drv_priv = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* From hostapd_cleanup_iface: These were initialized in
|
/* From hostapd_cleanup_iface: These were initialized in
|
||||||
* hostapd_setup_interface and hostapd_setup_interface_complete
|
* hostapd_setup_interface and hostapd_setup_interface_complete
|
||||||
|
Loading…
Reference in New Issue
Block a user