diff mbox series

Fix use after free warning introduced by gcc 12.1

Message ID 20230419192642.156001-1-krishna.t@nordicsemi.no
State Superseded
Headers show
Series Fix use after free warning introduced by gcc 12.1 | expand

Commit Message

Krishna Chaitanya April 19, 2023, 7:26 p.m. UTC 
From: krishna T <krishna.t@nordicsemi.no>

gcc 12.1 complains about using pointer after realloc as it could
potentially be moved/freed, causing any uses after UB.

Fix this by storing the pointer before realloc.

Signed-off-by: Krishna T <krishna.t@nordicsemi.no>
---
 wpa_supplicant/bss.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Krishna Chaitanya April 20, 2023, 5:58 p.m. UTC | #1 
On Thu, Apr 20, 2023 at 12:56 AM Krishna <chaitanya.mgit@gmail.com> wrote:
>
> From: krishna T <krishna.t@nordicsemi.no>
>
> gcc 12.1 complains about using pointer after realloc as it could
> potentially be moved/freed, causing any uses after UB.
>
> Fix this by storing the pointer before realloc.
>
> Signed-off-by: Krishna T <krishna.t@nordicsemi.no>
> ---
>  wpa_supplicant/bss.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
> index 320441426..2484d4e14 100644
> --- a/wpa_supplicant/bss.c
> +++ b/wpa_supplicant/bss.c
> @@ -724,6 +724,7 @@ wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
>                 bss->beacon_ie_len = res->beacon_ie_len;
>         } else {
>                 struct wpa_bss *nbss;
> +               struct wpa_bss *old_bss = bss;
>                 struct dl_list *prev = bss->list_id.prev;
>                 dl_list_del(&bss->list_id);
>                 nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
> @@ -731,14 +732,14 @@ wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
>                 if (nbss) {
>                         unsigned int i;
>                         for (i = 0; i < wpa_s->last_scan_res_used; i++) {
> -                               if (wpa_s->last_scan_res[i] == bss) {
> +                               if (wpa_s->last_scan_res[i] == old_bss) {
>                                         wpa_s->last_scan_res[i] = nbss;
>                                         break;
>                                 }
>                         }
> -                       if (wpa_s->current_bss == bss)
> +                       if (wpa_s->current_bss == old_bss)
>                                 wpa_s->current_bss = nbss;
> -                       wpa_bss_update_pending_connect(wpa_s, bss, nbss);
> +                       wpa_bss_update_pending_connect(wpa_s, old_bss, nbss);
>                         bss = nbss;
>                         os_memcpy(bss->ies, res + 1,
>                                   res->ie_len + res->beacon_ie_len);
> --
> 2.34.1
The warning is still there, working on it, will send a v2.
diff mbox series

Patch

diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 320441426..2484d4e14 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -724,6 +724,7 @@  wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
 		bss->beacon_ie_len = res->beacon_ie_len;
 	} else {
 		struct wpa_bss *nbss;
+		struct wpa_bss *old_bss = bss;
 		struct dl_list *prev = bss->list_id.prev;
 		dl_list_del(&bss->list_id);
 		nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
@@ -731,14 +732,14 @@  wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
 		if (nbss) {
 			unsigned int i;
 			for (i = 0; i < wpa_s->last_scan_res_used; i++) {
-				if (wpa_s->last_scan_res[i] == bss) {
+				if (wpa_s->last_scan_res[i] == old_bss) {
 					wpa_s->last_scan_res[i] = nbss;
 					break;
 				}
 			}
-			if (wpa_s->current_bss == bss)
+			if (wpa_s->current_bss == old_bss)
 				wpa_s->current_bss = nbss;
-			wpa_bss_update_pending_connect(wpa_s, bss, nbss);
+			wpa_bss_update_pending_connect(wpa_s, old_bss, nbss);
 			bss = nbss;
 			os_memcpy(bss->ies, res + 1,
 				  res->ie_len + res->beacon_ie_len);