From a68e958f29518b51cea78a3b239bc000faf640c2 Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Thu, 19 Jul 2018 09:13:24 -0700 Subject: [PATCH] ap: fixed crash in AP If the device mode it toggled from 'ap' back to 'station' without actually starting the access point ap_free attempts to zero out the psk, which causes a crash because it had never been allocated (Start() never was called). Since ap->psk is actually never used this was removed. Also added a memset to zero out the pmk on cleanup. This is the crash observed: ++++++++ backtrace ++++++++ 0 0x7f6ffe978a80 in /lib64/libc.so.6 1 0x7f6ffe9d6766 in /lib64/libc.so.6 2 0x42dd51 in memset() at /usr/include/bits/string3.h:90 3 0x42ddd9 in ap_free() at src/ap.c:144 4 0x445ec6 in interface_instance_free() at ell/dbus-service.c:513 5 0x448650 in _dbus_object_tree_remove_interface() at ell/dbus-service.c:1595 6 0x40d980 in device_set_mode_sta() at src/device.c:2113 7 0x447d4c in properties_set() at ell/dbus-service.c:1861 8 0x448a33 in _dbus_object_tree_dispatch() at ell/dbus-service.c:1691 9 0x442587 in message_read_handler() at ell/dbus.c:285 10 0x43cac9 in io_callback() at ell/io.c:123 11 0x43bf5e in l_main_iterate() at ell/main.c:376 12 0x43c01c in l_main_run() at ell/main.c:419 13 0x40379d in main() at src/main.c:460 14 0x7f6ffe96288a in /lib64/libc.so.6 +++++++++++++++++++++++++++ --- src/ap.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/ap.c b/src/ap.c index e126b832..19ed2e6c 100644 --- a/src/ap.c +++ b/src/ap.c @@ -117,8 +117,8 @@ static void ap_reset(struct ap_state *ap) dbus_error_aborted(ap->pending)); l_free(ap->ssid); - memset(ap->psk, 0, strlen(ap->psk)); - l_free(ap->psk); + + memset(ap->pmk, 0, sizeof(ap->pmk)); l_queue_foreach(ap->frame_watch_ids, ap_frame_watch_remove, netdev); l_queue_destroy(ap->frame_watch_ids, NULL); @@ -1236,7 +1236,6 @@ static int ap_start(struct ap_state *ap, const char *ssid, const char *psk, uint32_t id; ap->ssid = l_strdup(ssid); - ap->psk = l_strdup(psk); /* TODO: Start a Get Survey to decide the channel */ ap->channel = 6; /* TODO: Add all ciphers supported by wiphy */