From patchwork Mon Mar  5 10:30:15 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: BSS: Fix use-after-realloc
Date: Mon, 05 Mar 2012 00:30:15 -0000
From: Eliad Peller <eliad@wizery.com>
X-Patchwork-Id: 144645
Message-Id: <1330943415-6823-1-git-send-email-eliad@wizery.com>
To: <hostap@lists.shmoo.com>

After reallocation of the bss struct, current_bss
wasn't updated and could hold an invalid pointer
(which might get dereferenced later).

Update current_bss if the pointer was changed.

Signed-hostap: Eliad Peller <eliad@wizery.com>
intended-for: hostap-1

---
realloc is pretty dangerous if a reference could be
saved somewhere. i suspect there might be similar issues
in the codebase, but i haven't looked at it throughtly.

 wpa_supplicant/bss.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 2a5bb85..c0b4331 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -333,6 +333,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
 				  res->ie_len + res->beacon_ie_len);
 			bss->ie_len = res->ie_len;
 			bss->beacon_ie_len = res->beacon_ie_len;
+			if (wpa_s->current_bss == bss)
+				wpa_s->current_bss = nbss;
 		}
 		dl_list_add(prev, &bss->list_id);
 	}