From 762b99db7a76803d1ad274e87caa6fe870d47441 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 10 Sep 2012 12:33:29 +0200 Subject: [PATCH] Fix last_scan_res update existing BSS entry is update The BSS pointer may change if the entry needs to be reallocated and the new pointer has to be added to the last_scan_res array to avoid using pointers to freed memory. Signed-hostap: Jouni Malinen --- wpa_supplicant/bss.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c index af2033f..6223beb 100644 --- a/wpa_supplicant/bss.c +++ b/wpa_supplicant/bss.c @@ -391,8 +391,9 @@ static void notify_bss_changes(struct wpa_supplicant *wpa_s, u32 changes, } -static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, - struct wpa_scan_res *res) +static struct wpa_bss * +wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, + struct wpa_scan_res *res) { u32 changes; @@ -414,6 +415,13 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, nbss = os_realloc(bss, sizeof(*bss) + res->ie_len + res->beacon_ie_len); if (nbss) { + unsigned int i; + for (i = 0; i < wpa_s->last_scan_res_used; i++) { + if (wpa_s->last_scan_res[i] == bss) { + wpa_s->last_scan_res[i] = nbss; + break; + } + } if (wpa_s->current_bss == bss) wpa_s->current_bss = nbss; bss = nbss; @@ -429,6 +437,8 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss, dl_list_add_tail(&wpa_s->bss, &bss->list); notify_bss_changes(wpa_s, changes, bss); + + return bss; } @@ -482,7 +492,7 @@ void wpa_bss_update_scan_res(struct wpa_supplicant *wpa_s, if (bss == NULL) bss = wpa_bss_add(wpa_s, ssid + 2, ssid[1], res); else - wpa_bss_update(wpa_s, bss, res); + bss = wpa_bss_update(wpa_s, bss, res); if (bss == NULL) return; -- 2.1.4