diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2015-12-04 22:49:59 +0200 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-01-04 21:52:57 -0800 |
| commit | ad6cecd573bb45283f016b11733706fb9bdc0b54 (patch) | |
| tree | df9ef8c5a209cf858d6a8b087e8879116e8fe5a8 /src/p2p/p2p.c | |
| parent | 8cc5ff68960340807b79d85b9ddddef4cde11311 (diff) | |
| download | android_external_wpa_supplicant_8-ad6cecd573bb45283f016b11733706fb9bdc0b54.tar.gz android_external_wpa_supplicant_8-ad6cecd573bb45283f016b11733706fb9bdc0b54.tar.bz2 android_external_wpa_supplicant_8-ad6cecd573bb45283f016b11733706fb9bdc0b54.zip | |
P2P: Fix P2P_CANCEL for p2p_in_invitation case
Commit f05cee9714ae87d315d893699a536b60a5aa73a9 ('P2P: Clear
p2p_in_invitation on cancel') added a wpas_p2p_cancel() case to call
wpas_p2p_group_formation_failed() if wpa_s->p2p_in_invitation is set.
This is done in a loop going through wpa_s->next pointers. However, the
call here can result in removing the interface and freeing wpa_s. The
following attempt to read wpa_s->next is from freed memory and that can
result in process termination when using a separate P2P group interface
and issuing P2P_CANCEL on a group that was started through re-invocation
of a persistent group.
The recent commit 328f49acfe961a212e89e750516d2e2cc320765f ('P2P:
Complete group formation on client data connection') "fixed" this by
accident since wpa_s->p2p_in_invitation gets cleared in the sequence
that could hit this issue and this results in P2P_CANCEL getting
rejected. However, the real bug here is in the loop that continues after
possible wpa_s instance deletion. Fix that by breaking out of the loop
Git-commit: 63502c64e13d35dad591c315c8606866d9e07bce
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
CRs-Fixed: 950786
Change-Id: I91c75254ed1371edb5ef398167d156824bf06239
Diffstat (limited to 'src/p2p/p2p.c')
0 files changed, 0 insertions, 0 deletions