wpa_supplicant: Fix crash when terminating all interfaces

In wpa_supplicant_terminate_proc(), while iterating and
terminating interfaces, after an interface is terminated,
we can no longer access its memory as it is no longer valid
and causes a crash.

Fix this by saving the pointer to the next interface before freeing
the current one to avoid accessing an invalid memory location.

Signed-hostap: Moshe Benji <moshe.benji@intel.com>

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index f25f546..897974b 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -725,6 +725,7 @@ void wpa_supplicant_terminate_proc(struct wpa_global *global)
 #ifdef CONFIG_WPS
        struct wpa_supplicant *wpa_s = global->ifaces;
        while (wpa_s) {
+               struct wpa_supplicant *next = wpa_s->next;
 #ifdef CONFIG_P2P
                if (wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE ||
                    (wpa_s->current_ssid && wpa_s->current_ssid->p2p_group))
@@ -732,7 +733,7 @@ void wpa_supplicant_terminate_proc(struct wpa_global *global)
 #endif /* CONFIG_P2P */
                if (wpas_wps_terminate_pending(wpa_s) == 1)
                        pending = 1;
-               wpa_s = wpa_s->next;
+               wpa_s = next;
        }
 #endif /* CONFIG_WPS */
        if (pending)