Commit | Line | Data |
---|---|---|
83a614b6 LLB |
1 | From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 |
2 | From: Jouni Malinen <jouni@codeaurora.org> | |
3 | Date: Tue, 8 Dec 2020 23:52:50 +0200 | |
4 | Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request | |
5 | ||
6 | p2p_add_device() may remove the oldest entry if there is no room in the | |
7 | peer table for a new peer. This would result in any pointer to that | |
8 | removed entry becoming stale. A corner case with an invalid PD Request | |
9 | frame could result in such a case ending up using (read+write) freed | |
10 | memory. This could only by triggered when the peer table has reached its | |
11 | maximum size and the PD Request frame is received from the P2P Device | |
12 | Address of the oldest remaining entry and the frame has incorrect P2P | |
13 | Device Address in the payload. | |
14 | ||
15 | Fix this by fetching the dev pointer again after having called | |
16 | p2p_add_device() so that the stale pointer cannot be used. | |
17 | ||
18 | Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") | |
19 | Signed-off-by: Jouni Malinen <jouni@codeaurora.org> | |
20 | --- | |
21 | src/p2p/p2p_pd.c | 12 +++++------- | |
22 | 1 file changed, 5 insertions(+), 7 deletions(-) | |
23 | ||
24 | diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c | |
25 | index 3994ec03f86b..05fd593494ef 100644 | |
26 | --- a/src/p2p/p2p_pd.c | |
27 | +++ b/src/p2p/p2p_pd.c | |
28 | @@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, | |
29 | goto out; | |
30 | } | |
31 | ||
32 | + dev = p2p_get_device(p2p, sa); | |
33 | if (!dev) { | |
34 | - dev = p2p_get_device(p2p, sa); | |
35 | - if (!dev) { | |
36 | - p2p_dbg(p2p, | |
37 | - "Provision Discovery device not found " | |
38 | - MACSTR, MAC2STR(sa)); | |
39 | - goto out; | |
40 | - } | |
41 | + p2p_dbg(p2p, | |
42 | + "Provision Discovery device not found " | |
43 | + MACSTR, MAC2STR(sa)); | |
44 | + goto out; | |
45 | } | |
46 | } else if (msg.wfd_subelems) { | |
47 | wpabuf_free(dev->info.wfd_subelems); | |
48 | -- | |
49 | 2.25.1 | |
50 |