aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/bss.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2010-01-02 23:25:43 (GMT)
committerJouni Malinen <j@w1.fi>2010-01-02 23:25:43 (GMT)
commit1c83b67efd5cac9d6f6cb46cfa4ba3caef2c9612 (patch)
treeee2c2e3261c86e90980ffabfba6d27cf5285644a /wpa_supplicant/bss.c
parent2f1a90188c922750e4439eef7b0c99327b966b9f (diff)
downloadhostap-1c83b67efd5cac9d6f6cb46cfa4ba3caef2c9612.zip
hostap-1c83b67efd5cac9d6f6cb46cfa4ba3caef2c9612.tar.gz
hostap-1c83b67efd5cac9d6f6cb46cfa4ba3caef2c9612.tar.bz2
Fix memory corruption on BSS entry reallocation
The wpa_s->bss_id list was being corrupted when the BSS entry needed to be reallocated due to longer IE data. The entry has to be removed from all lists before reallocation to avoid this (it was only removed from the wpa_s->bss list).
Diffstat (limited to 'wpa_supplicant/bss.c')
-rw-r--r--wpa_supplicant/bss.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index 62086a4..6446c05 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -148,12 +148,15 @@ static void wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
bss->ie_len = res->ie_len;
} else {
struct wpa_bss *nbss;
+ struct dl_list *prev = bss->list_id.prev;
+ dl_list_del(&bss->list_id);
nbss = os_realloc(bss, sizeof(*bss) + res->ie_len);
if (nbss) {
bss = nbss;
os_memcpy(bss + 1, res + 1, res->ie_len);
bss->ie_len = res->ie_len;
}
+ dl_list_add(prev, &bss->list_id);
}
dl_list_add_tail(&wpa_s->bss, &bss->list);
}