Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

GAS: Fix double-free on an error path

If radio_add_work() fails, gas_query_req() ended up freeing the query
payload and returning an error. This resulted in also the caller trying
to free the query payload. Fix this by not freeing the buffer within
gas_query_req() in error case to be consistent with the other error
cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 8 years ago
parent
d6e93d3e09
commit
1574fa1c6c
1 changed files with 1 additions and 0 deletions
Unified View Show Diff Stats
  1. 1 0
      wpa_supplicant/gas_query.c

+ 1 - 0
wpa_supplicant/gas_query.c
View File 

@@ -774,6 +774,7 @@ int gas_query_req(struct gas_query *gas, const u8 *dst, int freq,
 
 
 
 	if (radio_add_work(gas->wpa_s, freq, "gas-query", 0, gas_query_start_cb,
 
 	if (radio_add_work(gas->wpa_s, freq, "gas-query", 0, gas_query_start_cb,
 
 			   query) < 0) {
 
 			   query) < 0) {
 
+		query->req = NULL; /* caller will free this in error case */
 
 		gas_query_free(query, 1);
 
 		gas_query_free(query, 1);
 
 		return -1;
 
 		return -1;
 
 	}
 
 	}