arne/openwrt
1
0
Fork 0
forked from mirror/openwrt
Code Pull requests Activity

hostapd: fix a use-after-free bug when interfaces are removed during a scan

Browse source 
Whenever the first bss is removed, any pending scan still keeps a reference
to it. Cancel it in order to prevent use-after-free bugs.

Reported-by: Chad Monroe <chad.monroe@adtran.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Felix Fietkau 2025-10-21 08:23:30 +00:00
parent 4c50648f72
commit d924a0cff8
4 changed files with 29 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch Normal file
View file

@ -0,0 +1,22 @@
From: Felix Fietkau <nbd@nbd.name>
Date: Tue, 21 Oct 2025 10:19:41 +0200
Subject: [PATCH] nl80211: cancel scans whenever the first bss is removed
Whenever the first bss is removed, any pending scan still keeps a reference
to it. Cancel it in order to prevent use-after-free bugs.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -9261,6 +9261,9 @@ static int wpa_driver_nl80211_if_remove(
wpa_printf(MSG_INFO, "nl80211: %s - could not find "
"BSS %p in the list", __func__, bss);
} else {
+ if (eloop_cancel_timeout(wpa_driver_nl80211_scan_timeout, drv, bss->ctx))
+ wpa_driver_nl80211_scan_timeout(drv, bss->ctx);
+
wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
nl80211_teardown_ap(bss);
nl80211_remove_links(bss);

4
package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch
View file

@ -29,7 +29,7 @@ Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
struct wpa_driver_set_key_params {
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -12373,6 +12373,18 @@ static int nl80211_put_mesh_id(struct nl
@@ -12376,6 +12376,18 @@ static int nl80211_put_mesh_id(struct nl
}
@ -48,7 +48,7 @@ Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
static int nl80211_put_mesh_config(struct nl_msg *msg,
struct wpa_driver_mesh_bss_params *params)
{
@@ -12434,6 +12446,7 @@ static int nl80211_join_mesh(struct i802
@@ -12437,6 +12449,7 @@ static int nl80211_join_mesh(struct i802
nl80211_put_basic_rates(msg, params->basic_rates) ||
nl80211_put_mesh_id(msg, params->meshid, params->meshid_len) ||
nl80211_put_beacon_int(msg, params->beacon_int) ||

6
package/network/services/hostapd/patches/601-ucode_support.patch
View file

@ -484,7 +484,7 @@ as adding/removing interfaces.
}
if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) {
@@ -9307,6 +9325,50 @@ static int wpa_driver_nl80211_if_remove(
@@ -9310,6 +9328,50 @@ static int wpa_driver_nl80211_if_remove(
return 0;
}
@ -535,7 +535,7 @@ as adding/removing interfaces.
static int cookie_handler(struct nl_msg *msg, void *arg)
{
@@ -11192,6 +11254,37 @@ static bool nl80211_is_drv_shared(void *
@@ -11195,6 +11257,37 @@ static bool nl80211_is_drv_shared(void *
#endif /* CONFIG_IEEE80211BE */
@ -573,7 +573,7 @@ as adding/removing interfaces.
static int driver_nl80211_send_mlme(void *priv, const u8 *data,
size_t data_len, int noack,
unsigned int freq,
@@ -15011,6 +15104,8 @@ const struct wpa_driver_ops wpa_driver_n
@@ -15014,6 +15107,8 @@ const struct wpa_driver_ops wpa_driver_n
.set_acl = wpa_driver_nl80211_set_acl,
.if_add = wpa_driver_nl80211_if_add,
.if_remove = driver_nl80211_if_remove,

4
package/network/services/hostapd/patches/740-snoop_iface.patch
View file

@ -123,7 +123,7 @@ untagged DHCP packets
* get_wowlan - Get wake-on-wireless status
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -12893,7 +12893,7 @@ static const char * drv_br_net_param_str
@@ -12896,7 +12896,7 @@ static const char * drv_br_net_param_str
static int wpa_driver_br_set_net_param(void *priv, enum drv_br_net_param param,
@ -132,7 +132,7 @@ untagged DHCP packets
{
struct i802_bss *bss = priv;
char path[128];
@@ -12919,8 +12919,11 @@ static int wpa_driver_br_set_net_param(v
@@ -12922,8 +12922,11 @@ static int wpa_driver_br_set_net_param(v
return -EINVAL;
}