From adfba7b2d24cb43532a3348c6d6ddfb53b8e2c72 Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Fri, 3 Feb 2017 18:03:37 -0600
Subject: [PATCH] scan: Fix crash

Program received signal SIGSEGV, Segmentation fault.
0x0000000000419d38 in scan_done (msg=0x692580, userdata=0x688250)
    at src/scan.c:250
250		sc->state = sr->passive ? SCAN_STATE_PASSIVE : SCAN_STATE_ACTIVE;
(gdb) bt
0  0x0000000000419d38 in scan_done (msg=0x692580, userdata=0x688250)
    at src/scan.c:250
1  0x000000000043cac0 in process_unicast (genl=0x686d60, nlmsg=0x7fffffffc3b0)
    at ell/genl.c:390
2  0x000000000043ceb0 in received_data (io=0x686e60, user_data=0x686d60)
    at ell/genl.c:506
3  0x000000000043967d in io_callback (fd=6, events=1, user_data=0x686e60)
    at ell/io.c:120
4  0x000000000043824d in l_main_run () at ell/main.c:381
5  0x000000000040303c in main (argc=1, argv=0x7fffffffe668) at src/main.c:259

The reasoning is that the logic inside scan_common is reversed.  Instead
of freeing the scan request on error, we always do it.  This causes the
trigger_scan callback to receive invalid userdata.
---
 src/scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scan.c b/src/scan.c
index 84e78737..7eaae619 100644
--- a/src/scan.c
+++ b/src/scan.c
@@ -360,7 +360,7 @@ static uint32_t scan_common(uint32_t ifindex, bool passive,
 		goto done;
 
 	sc->start_cmd_id = scan_send_start(&sr->start_cmd, scan_done, sc);
-	if (!sc->start_cmd_id)
+	if (sc->start_cmd_id > 0)
 		goto done;
 
 error: