Initialize hapd->nr_db in hostapd_alloc_bss_data()

Previously, this was initialized in hostapd_setup_bss() which made it
possible for a REMOVE_NEIGHBOR control interface command to be issued
prior to the list head pointers having been set. That resulted in a NULL
pointer dereference. Fix this by initializing the list head at the time
the data structure gets allocated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 65f513d..a09d423 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -912,7 +912,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
                return -1;
        }
        hapd->started = 1;
-       dl_list_init(&hapd->nr_db);
 
        if (!first || first == -1) {
                u8 *addr = hapd->own_addr;
@@ -2002,6 +2001,7 @@ hostapd_alloc_bss_data(struct hostapd_iface *hapd_iface,
        hapd->driver = hapd->iconf->driver;
        hapd->ctrl_sock = -1;
        dl_list_init(&hapd->ctrl_dst);
+       dl_list_init(&hapd->nr_db);
 
        return hapd;
 }

diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index 741670b..d67d3b2 100644 (file)
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -178,6 +178,7 @@ static int wpa_supplicant_mesh_init(struct wpa_supplicant *wpa_s,
        ifmsh->bss[0] = bss = os_zalloc(sizeof(struct hostapd_data));
        if (!bss)
                goto out_free;
+       dl_list_init(&bss->nr_db);
 
        os_memcpy(bss->own_addr, wpa_s->own_addr, ETH_ALEN);
        bss->driver = wpa_s->driver;