wifi: cfg80211: avoid double free if updating BSS fails

cfg80211_update_known_bss will always consume the passed IEs. As such,
cfg80211_update_assoc_bss_entry also needs to always set the pointers to
NULL so that no double free can occur.

Note that hitting this would probably require being connected to a
hidden BSS which is then doing a channel switch while also switching to
be not hidden anymore at the same time.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20231220133549.8891edb28d51.Id09c5145363e990ff5237decd58296302e2d53c8@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index f7fd7ea0e935f43ebd815a263a66081a63d9a390..cf2131671eb6e79873b0c2b2cff7352606236250 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -3194,10 +3194,9 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
 
        if (new) {
                /* to save time, update IEs for transmitting bss only */
-               if (cfg80211_update_known_bss(rdev, cbss, new, false)) {
-                       new->pub.proberesp_ies = NULL;
-                       new->pub.beacon_ies = NULL;
-               }
+               cfg80211_update_known_bss(rdev, cbss, new, false);
+               new->pub.proberesp_ies = NULL;
+               new->pub.beacon_ies = NULL;
 
                list_for_each_entry_safe(nontrans_bss, tmp,
                                         &new->pub.nontrans_list,