Patchwork wpa_supplicant: Fix access to the freed memory when removing all networks

login
register
mail settings
Submitter Jaewan Kim
Date Jan. 29, 2013, 4:37 a.m.
Message ID <CABZjns6QBx4ubyL5dmTu9+t8osxsQo0NE3sax8k3W=v24rR+6A@mail.gmail.com>
Download mbox | patch
Permalink /patch/216425/
State Accepted
Commit 391f492532eb980dd386b89c383f88533b27a066
Headers show

Comments

Jaewan Kim - Jan. 29, 2013, 4:37 a.m.
Previous CL 'Fix REMOVE_NETWORK to not run operations with invalid
current_ssid' fixed this issue for 'removing a network', and we also need to
take care of 'removing all networks'.

Signed-hostap: Jaewan Kim <jaewan at google.com>
Jouni Malinen - Feb. 3, 2013, 7:24 p.m.
On Tue, Jan 29, 2013 at 01:37:34PM +0900, Jaewan Kim wrote:
> Previous CL 'Fix REMOVE_NETWORK to not run operations with invalid
> current_ssid' fixed this issue for 'removing a network', and we also need to
> take care of 'removing all networks'.

Thanks! Applied.

Patch

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index ecafc6c..33deacc 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -2108,14 +2108,6 @@  static int wpa_supplicant_ctrl_iface_remove_network(
        /* cmd: "<network id>" or "all" */
        if (os_strcmp(cmd, "all") == 0) {
                wpa_printf(MSG_DEBUG, "CTRL_IFACE: REMOVE_NETWORK all");
-               ssid = wpa_s->conf->ssid;
-               while (ssid) {
-                       struct wpa_ssid *remove_ssid = ssid;
-                       id = ssid->id;
-                       ssid = ssid->next;
-                       wpas_notify_network_removed(wpa_s, remove_ssid);
-                       wpa_config_remove_network(wpa_s->conf, id);
-               }
                eapol_sm_invalidate_cached_session(wpa_s->eapol);
                if (wpa_s->current_ssid) {
 #ifdef CONFIG_SME
@@ -2126,6 +2118,14 @@  static int wpa_supplicant_ctrl_iface_remove_network(
                        wpa_supplicant_deauthenticate(
                                wpa_s, WLAN_REASON_DEAUTH_LEAVING);
                }
+               ssid = wpa_s->conf->ssid;
+               while (ssid) {
+                       struct wpa_ssid *remove_ssid = ssid;
+                       id = ssid->id;
+                       ssid = ssid->next;
+                       wpas_notify_network_removed(wpa_s, remove_ssid);
+                       wpa_config_remove_network(wpa_s->conf, id);
+               }
                return 0;
        }