From: Max Stepanov Date: Wed, 22 Jan 2014 14:05:45 +0000 (+0200) Subject: wpa_supplicant: Fix seg fault in wpas_ctrl_radio_work_flush() in error case X-Git-Tag: hostap_2_1~105 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=commitdiff_plain;h=a6cff8bfa87dab458eeef43e158ba92b7a10aed5 wpa_supplicant: Fix seg fault in wpas_ctrl_radio_work_flush() in error case Verify wpa_s->radio pointer before accessing it. If interface addition fails, this could get called before wpa_s->radio has been set. The segmentation fault details: Program received signal SIGSEGV, Segmentation fault. 0x00000000004b9591 in wpas_ctrl_radio_work_flush (wpa_s=0x77fff0) at ctrl_iface.c:5754 5754 dl_list_for_each_safe(work, tmp, &wpa_s->radio->work, Call stack: 0 wpas_ctrl_radio_work_flush (wpa_s=0x77fff0) at ctrl_iface.c:5754 1 wpa_supplicant_deinit_iface (wpa_s=0x77fff0, notify=0, terminate=0) at wpa_supplicant.c:3619 2 wpa_supplicant_add_iface (global=0x75db10, iface=0x7fffffffe270) at wpa_supplicant.c:3691 3 wpas_p2p_add_p2pdev_interface (wpa_s=0x75dd20) at p2p_supplicant.c:3700 4 main (argc=, argv=) at main.c:317 Function: 5750 void wpas_ctrl_radio_work_flush(struct wpa_supplicant *wpa_s) 5751 { 5752 struct wpa_radio_work *work, *tmp; 5753 5754 dl_list_for_each_safe(work, tmp, &wpa_s->radio->work, 5755 struct wpa_radio_work, list) { 5756 struct wpa_external_work *ework; 5757 5758 if (os_strncmp(work->type, "ext:", 4) != 0) Root cause: (gdb) p wpa_s->radio $1 = (struct wpa_radio *) 0x0 Signed-hostap: Max Stepanov --- diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index f7ee6e3..ec79de3 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -5477,6 +5477,9 @@ void wpas_ctrl_radio_work_flush(struct wpa_supplicant *wpa_s) { struct wpa_radio_work *work, *tmp; + if (!wpa_s || !wpa_s->radio) + return; + dl_list_for_each_safe(work, tmp, &wpa_s->radio->work, struct wpa_radio_work, list) { struct wpa_external_work *ework;