entry->bytearray_value was left to point to freed memory in case
os_realloc_array() failed. This resulted in the following
wpa_dbus_dict_entry_clear() trying to free an already freed memory area.
Signed-off-by: Jouni Malinen <j@w1.fi>
if (!buffer)
return FALSE;
- entry->bytearray_value = buffer;
entry->array_len = 0;
while (dbus_message_iter_get_arg_type(iter) == DBUS_TYPE_BYTE) {
char byte;
}
buffer = nbuffer;
}
- entry->bytearray_value = buffer;
dbus_message_iter_get_basic(iter, &byte);
- entry->bytearray_value[count] = byte;
+ buffer[count] = byte;
entry->array_len = ++count;
dbus_message_iter_next(iter);
}
+ entry->bytearray_value = buffer;
wpa_hexdump_key(MSG_MSGDUMP, "dbus: byte array contents",
entry->bytearray_value, entry->array_len);