aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2016-08-19 13:29:22 (GMT)
committerJouni Malinen <j@w1.fi>2016-08-22 14:44:05 (GMT)
commitf2f8616e806f90afed0e308a85088df4d4a9f349 (patch)
tree4909d961bb1a413f8d79b4e2907f670276fec5e8
parent30e0745bf7e7c302d5e0977c805b6f07ac2f3d2b (diff)
downloadhostap-f2f8616e806f90afed0e308a85088df4d4a9f349.zip
hostap-f2f8616e806f90afed0e308a85088df4d4a9f349.tar.gz
hostap-f2f8616e806f90afed0e308a85088df4d4a9f349.tar.bz2
Initialize hapd->nr_db in hostapd_alloc_bss_data()
Previously, this was initialized in hostapd_setup_bss() which made it possible for a REMOVE_NEIGHBOR control interface command to be issued prior to the list head pointers having been set. That resulted in a NULL pointer dereference. Fix this by initializing the list head at the time the data structure gets allocated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-rw-r--r--src/ap/hostapd.c2
-rw-r--r--wpa_supplicant/mesh.c1
2 files changed, 2 insertions, 1 deletions
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 65f513d..a09d423 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -912,7 +912,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
return -1;
}
hapd->started = 1;
- dl_list_init(&hapd->nr_db);
if (!first || first == -1) {
u8 *addr = hapd->own_addr;
@@ -2002,6 +2001,7 @@ hostapd_alloc_bss_data(struct hostapd_iface *hapd_iface,
hapd->driver = hapd->iconf->driver;
hapd->ctrl_sock = -1;
dl_list_init(&hapd->ctrl_dst);
+ dl_list_init(&hapd->nr_db);
return hapd;
}
diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index 741670b..d67d3b2 100644
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -178,6 +178,7 @@ static int wpa_supplicant_mesh_init(struct wpa_supplicant *wpa_s,
ifmsh->bss[0] = bss = os_zalloc(sizeof(struct hostapd_data));
if (!bss)
goto out_free;
+ dl_list_init(&bss->nr_db);
os_memcpy(bss->own_addr, wpa_s->own_addr, ETH_ALEN);
bss->driver = wpa_s->driver;