GAS: Remove all radio works before calling gas_query_deinit()

Remove all gas-query radio works before calling gas_query_deinit()
as gas_query_deinit() flow frees the query context, which might
be later be accessed from the radio work callback (and result
with unexpected behavior, e.g., segmentation fault).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This commit is contained in:
Ilan Peer 2015-06-01 13:38:10 +03:00 committed by Jouni Malinen
parent 1a5041791e
commit 57e832de37

View File

@ -493,6 +493,16 @@ static void wpa_supplicant_cleanup(struct wpa_supplicant *wpa_s)
wpas_mac_addr_rand_scan_clear(wpa_s, MAC_ADDR_RAND_ALL);
/*
* Need to remove any pending gas-query radio work before the
* gas_query_deinit() call because gas_query::work has not yet been set
* for works that have not been started. gas_query_free() will be unable
* to cancel such pending radio works and once the pending gas-query
* radio work eventually gets removed, the deinit notification call to
* gas_query_start_cb() would result in dereferencing freed memory.
*/
if (wpa_s->radio)
radio_remove_works(wpa_s, "gas-query", 0);
gas_query_deinit(wpa_s->gas);
wpa_s->gas = NULL;