From 1d852e10ade625d16c905380f6402318bc5b1ec1 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Tue, 4 Aug 2020 16:53:00 +0200 Subject: [PATCH] scan: Always allocate results->bss_list Instead of creating the results->bss_list l_queue lazily, always create one before sending the GET_SCAN command. This is to make sure that an empty list is passed to the scan callback (e.g. in station.c) instead of a NULL. Passing NULL has been causing difficult to debug crashes in station.c, in fact I think I've been seeing them for over a year now but can't be sure. station_set_scan_results has been taking ownership of the new BSS list and, if station->connected_bss was not on the list, it would try to add it not realizing that l_queue_push_tail() was doing nothing. Always passing a valid list may help us prevent similar problems in the future. The crash might start with: ==120489== Invalid read of size 8 ==120489== at 0x425D38: network_bss_select (network.c:709) ==120489== by 0x415BD1: station_try_next_bss (station.c:2263) ==120489== by 0x415E31: station_retry_with_status (station.c:2323) ==120489== by 0x415E31: station_connect_cb (station.c:2367) ==120489== by 0x407E66: netdev_connect_failed (netdev.c:569) ==120489== by 0x40B93D: netdev_connect_event (netdev.c:1801) ==120489== by 0x40B93D: netdev_mlme_notify (netdev.c:3678) --- src/scan.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/scan.c b/src/scan.c index d131b1f4..c93beabd 100644 --- a/src/scan.c +++ b/src/scan.c @@ -1448,9 +1448,6 @@ static void get_scan_callback(struct l_genl_msg *msg, void *user_data) l_debug("get_scan_callback"); - if (!results->bss_list) - results->bss_list = l_queue_new(); - bss = scan_parse_result(msg, &wdev_id); if (!bss) return; @@ -1694,6 +1691,7 @@ static void scan_notify(struct l_genl_msg *msg, void *user_data) results->sc = sc; results->time_stamp = l_time_now(); results->sr = sr; + results->bss_list = l_queue_new(); scan_parse_new_scan_results(msg, results);