1
From 20a0b03debef66cc57b0c34a05f8be5229be907c Mon Sep 17 00:00:00 2001
2
From: Jouni Malinen <jouni@qca.qualcomm.com>
3
Date: Mon, 27 Jun 2011 19:02:24 +0300
4
Subject: [PATCH] Clear WPA and EAPOL state machine config pointer on network
7
Make sure that the WPA and EAPOL state machines do not hold a pointer
8
to a network configuration that is about to be freed. This can fix
9
potential issues with references to freed memory.
11
wpa_supplicant/ctrl_iface.c | 4 ++++
12
wpa_supplicant/p2p_supplicant.c | 7 ++++++-
13
wpa_supplicant/wps_supplicant.c | 10 +++++++++-
14
3 files changed, 19 insertions(+), 2 deletions(-)
16
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
17
index cbc6fef..730e607 100644
18
--- a/wpa_supplicant/ctrl_iface.c
19
+++ b/wpa_supplicant/ctrl_iface.c
20
@@ -1393,6 +1393,8 @@ static int wpa_supplicant_ctrl_iface_remove_network(
22
if (wpa_s->current_ssid) {
23
eapol_sm_invalidate_cached_session(wpa_s->eapol);
24
+ wpa_sm_set_config(wpa_s->wpa, NULL);
25
+ eapol_sm_notify_config(wpa_s->eapol, NULL, NULL);
26
wpa_supplicant_disassociate(wpa_s,
27
WLAN_REASON_DEAUTH_LEAVING);
29
@@ -1416,6 +1418,8 @@ static int wpa_supplicant_ctrl_iface_remove_network(
32
eapol_sm_invalidate_cached_session(wpa_s->eapol);
33
+ wpa_sm_set_config(wpa_s->wpa, NULL);
34
+ eapol_sm_notify_config(wpa_s->eapol, NULL, NULL);
36
wpa_supplicant_disassociate(wpa_s, WLAN_REASON_DEAUTH_LEAVING);
38
diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
39
index b75c6ef..e3388bd 100644
40
--- a/wpa_supplicant/wps_supplicant.c
41
+++ b/wpa_supplicant/wps_supplicant.c
43
#include "common/wpa_ctrl.h"
44
#include "eap_common/eap_wsc_common.h"
45
#include "eap_peer/eap.h"
46
+#include "eapol_supp/eapol_supp_sm.h"
47
#include "rsn_supp/wpa.h"
49
#include "wpa_supplicant_i.h"
50
@@ -673,7 +674,9 @@ enum wps_request_type wpas_wps_get_req_type(struct wpa_ssid *ssid)
51
static void wpas_clear_wps(struct wpa_supplicant *wpa_s)
54
- struct wpa_ssid *ssid, *remove_ssid = NULL;
55
+ struct wpa_ssid *ssid, *remove_ssid = NULL, *prev_current;
57
+ prev_current = wpa_s->current_ssid;
59
eloop_cancel_timeout(wpas_wps_timeout, wpa_s, NULL);
61
@@ -692,6 +695,11 @@ static void wpas_clear_wps(struct wpa_supplicant *wpa_s)
65
+ if (prev_current == remove_ssid) {
66
+ wpa_sm_set_config(wpa_s->wpa, NULL);
67
+ eapol_sm_notify_config(wpa_s->eapol, NULL,
70
wpas_notify_network_removed(wpa_s, remove_ssid);
71
wpa_config_remove_network(wpa_s->conf, id);