aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2016-05-16 16:04:54 (GMT)
committerJouni Malinen <j@w1.fi>2016-05-16 16:04:54 (GMT)
commit7d1007a6740a49b6e6bb0e91808ebb8fc9d5789d (patch)
treed265c211c086d9f4b80510e044cad16a7b1ee289 /wpa_supplicant
parentf260ce4be866519d3c80c3f3fa6cfc0df9284779 (diff)
downloadhostap-7d1007a6740a49b6e6bb0e91808ebb8fc9d5789d.zip
hostap-7d1007a6740a49b6e6bb0e91808ebb8fc9d5789d.tar.gz
hostap-7d1007a6740a49b6e6bb0e91808ebb8fc9d5789d.tar.bz2
Fix external radio work debug printing on removal
work->type was pointing to the allocated work->ctx buffer and the debug print in radio_work_free() ended up using freed memory if a started external radio work was removed as part of FLUSH command operations. Fix this by updating work->type to point to a constant string in case the dynamic version gets freed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/ctrl_iface.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 05e28e9..ea8cecc 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -7268,6 +7268,13 @@ static void wpas_ctrl_radio_work_cb(struct wpa_radio_work *work, int deinit)
eloop_cancel_timeout(wpas_ctrl_radio_work_timeout,
work, NULL);
+ /*
+ * work->type points to a buffer in ework, so need to replace
+ * that here with a fixed string to avoid use of freed memory
+ * in debug prints.
+ */
+ work->type = "freed-ext-work";
+ work->ctx = NULL;
os_free(ework);
return;
}