GAS: Fix double-free on an error path

If radio_add_work() fails, gas_query_req() ended up freeing the query
payload and returning an error. This resulted in also the caller trying
to free the query payload. Fix this by not freeing the buffer within
gas_query_req() in error case to be consistent with the other error
cases.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c
index c0c8c46..691de03 100644 (file)
--- a/wpa_supplicant/gas_query.c
+++ b/wpa_supplicant/gas_query.c
@@ -774,6 +774,7 @@ int gas_query_req(struct gas_query *gas, const u8 *dst, int freq,
 
        if (radio_add_work(gas->wpa_s, freq, "gas-query", 0, gas_query_start_cb,
                           query) < 0) {
+               query->req = NULL; /* caller will free this in error case */
                gas_query_free(query, 1);
                return -1;
        }