diff options
author | Felix Fietkau <nbd@nbd.name> | 2021-05-24 19:24:37 +0200 |
---|---|---|
committer | Felix Fietkau <nbd@nbd.name> | 2021-05-26 11:48:14 +0200 |
commit | eefed841b05c3cd4c65a78b50ce0934d879e6acf (patch) | |
tree | bc9e110ec793ea85506c87251e08fa05d7bbbb13 /package/network/services/hostapd/patches/060-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch | |
parent | c8bcdd561909034a14cbfd785e13848cbd5f5e50 (diff) | |
download | upstream-eefed841b05c3cd4c65a78b50ce0934d879e6acf.tar.gz upstream-eefed841b05c3cd4c65a78b50ce0934d879e6acf.tar.bz2 upstream-eefed841b05c3cd4c65a78b50ce0934d879e6acf.zip |
hostapd: update to version 2021-05-21
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Diffstat (limited to 'package/network/services/hostapd/patches/060-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch')
-rw-r--r-- | package/network/services/hostapd/patches/060-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/package/network/services/hostapd/patches/060-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch b/package/network/services/hostapd/patches/060-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch deleted file mode 100644 index 1202ff3725..0000000000 --- a/package/network/services/hostapd/patches/060-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@codeaurora.org> -Date: Tue, 8 Dec 2020 23:52:50 +0200 -Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request - -p2p_add_device() may remove the oldest entry if there is no room in the -peer table for a new peer. This would result in any pointer to that -removed entry becoming stale. A corner case with an invalid PD Request -frame could result in such a case ending up using (read+write) freed -memory. This could only by triggered when the peer table has reached its -maximum size and the PD Request frame is received from the P2P Device -Address of the oldest remaining entry and the frame has incorrect P2P -Device Address in the payload. - -Fix this by fetching the dev pointer again after having called -p2p_add_device() so that the stale pointer cannot be used. - -Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> ---- - src/p2p/p2p_pd.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - ---- a/src/p2p/p2p_pd.c -+++ b/src/p2p/p2p_pd.c -@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2 - goto out; - } - -+ dev = p2p_get_device(p2p, sa); - if (!dev) { -- dev = p2p_get_device(p2p, sa); -- if (!dev) { -- p2p_dbg(p2p, -- "Provision Discovery device not found " -- MACSTR, MAC2STR(sa)); -- goto out; -- } -+ p2p_dbg(p2p, -+ "Provision Discovery device not found " -+ MACSTR, MAC2STR(sa)); -+ goto out; - } - } else if (msg.wfd_subelems) { - wpabuf_free(dev->info.wfd_subelems); |