From e212bad50b1c4f225c87bee1c3b9ba81a4504773 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 7 Apr 2014 13:35:18 +0300
Subject: WNM: Fix deinit path to clean neighbor report count

wnm_deallocate_memory() left wnm_num_neighbor_report set while freeing
the allocated buffer of neighbor reports. If this function was called
twice in a row without having went through new neighbor report parsing,
invalid pointers could have been freed resulted in segfault.

CRs-Fixed: 651033
Change-Id: If11be7c57365bedc65d3c5fe31f42aceec65c74a
Git-commit: ec331d09a29c6b0dd5c59123688cd55f6dcdc31a
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 wpa_supplicant/wnm_sta.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 4f8d895a..5731cbd5 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -314,6 +314,7 @@ void wnm_deallocate_memory(struct wpa_supplicant *wpa_s)
 		os_free(wpa_s->wnm_neighbor_report_elements[i].mul_bssid);
 	}
 
+	wpa_s->wnm_num_neighbor_report = 0;
 	os_free(wpa_s->wnm_neighbor_report_elements);
 	wpa_s->wnm_neighbor_report_elements = NULL;
 }
-- 
cgit v1.2.3