WPS: Fix num_probereq_cb clearing on DISABLE to avoid segfault

Reset hapd->num_probereq_cb to 0 on an interface deinit to avoid
unexpected behavior if the same interface is enabled again without fully
freeing the data structures. hostapd_register_probereq_cb() increments
hapd->num_probereq_cb by one and leaves all old values unchanged. In
this deinit+init case, that would result in the first entry in the list
having an uninitialized pointer and the next Probe Request frame
processing would likely cause the process to terminate on segmentation
fault.

This issue could be hit when hostapd was used with WPS enabled (non-zero
wps_state configuration parameter) and control interface command DISABLE
and ENABLE were used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index e4d7bfc..c09c17a 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -261,6 +261,7 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd)
 {
        os_free(hapd->probereq_cb);
        hapd->probereq_cb = NULL;
+       hapd->num_probereq_cb = 0;
 
 #ifdef CONFIG_P2P
        wpabuf_free(hapd->p2p_beacon_ie);