From d924a0cff8e2f5f0f01217352ac711de768b1eaf Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 21 Oct 2025 08:23:30 +0000 Subject: [PATCH] hostapd: fix a use-after-free bug when interfaces are removed during a scan Whenever the first bss is removed, any pending scan still keeps a reference to it. Cancel it in order to prevent use-after-free bugs. Reported-by: Chad Monroe Signed-off-by: Felix Fietkau --- ...cans-whenever-the-first-bss-is-remov.patch | 22 +++++++++++++++++++ .../patches/463-add-mcast_rate-to-11s.patch | 4 ++-- .../hostapd/patches/601-ucode_support.patch | 6 ++--- .../hostapd/patches/740-snoop_iface.patch | 4 ++-- 4 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch diff --git a/package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch b/package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch new file mode 100644 index 0000000000..24ddf5bcc0 --- /dev/null +++ b/package/network/services/hostapd/patches/192-nl80211-cancel-scans-whenever-the-first-bss-is-remov.patch @@ -0,0 +1,22 @@ +From: Felix Fietkau +Date: Tue, 21 Oct 2025 10:19:41 +0200 +Subject: [PATCH] nl80211: cancel scans whenever the first bss is removed + +Whenever the first bss is removed, any pending scan still keeps a reference +to it. Cancel it in order to prevent use-after-free bugs. + +Signed-off-by: Felix Fietkau +--- + +--- a/src/drivers/driver_nl80211.c ++++ b/src/drivers/driver_nl80211.c +@@ -9261,6 +9261,9 @@ static int wpa_driver_nl80211_if_remove( + wpa_printf(MSG_INFO, "nl80211: %s - could not find " + "BSS %p in the list", __func__, bss); + } else { ++ if (eloop_cancel_timeout(wpa_driver_nl80211_scan_timeout, drv, bss->ctx)) ++ wpa_driver_nl80211_scan_timeout(drv, bss->ctx); ++ + wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context"); + nl80211_teardown_ap(bss); + nl80211_remove_links(bss); diff --git a/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch b/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch index 1f77818a94..4dc107feba 100644 --- a/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch +++ b/package/network/services/hostapd/patches/463-add-mcast_rate-to-11s.patch @@ -29,7 +29,7 @@ Tested-by: Simon Wunderlich struct wpa_driver_set_key_params { --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c -@@ -12373,6 +12373,18 @@ static int nl80211_put_mesh_id(struct nl +@@ -12376,6 +12376,18 @@ static int nl80211_put_mesh_id(struct nl } @@ -48,7 +48,7 @@ Tested-by: Simon Wunderlich static int nl80211_put_mesh_config(struct nl_msg *msg, struct wpa_driver_mesh_bss_params *params) { -@@ -12434,6 +12446,7 @@ static int nl80211_join_mesh(struct i802 +@@ -12437,6 +12449,7 @@ static int nl80211_join_mesh(struct i802 nl80211_put_basic_rates(msg, params->basic_rates) || nl80211_put_mesh_id(msg, params->meshid, params->meshid_len) || nl80211_put_beacon_int(msg, params->beacon_int) || diff --git a/package/network/services/hostapd/patches/601-ucode_support.patch b/package/network/services/hostapd/patches/601-ucode_support.patch index dedea272a9..7bbf781275 100644 --- a/package/network/services/hostapd/patches/601-ucode_support.patch +++ b/package/network/services/hostapd/patches/601-ucode_support.patch @@ -484,7 +484,7 @@ as adding/removing interfaces. } if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) { -@@ -9307,6 +9325,50 @@ static int wpa_driver_nl80211_if_remove( +@@ -9310,6 +9328,50 @@ static int wpa_driver_nl80211_if_remove( return 0; } @@ -535,7 +535,7 @@ as adding/removing interfaces. static int cookie_handler(struct nl_msg *msg, void *arg) { -@@ -11192,6 +11254,37 @@ static bool nl80211_is_drv_shared(void * +@@ -11195,6 +11257,37 @@ static bool nl80211_is_drv_shared(void * #endif /* CONFIG_IEEE80211BE */ @@ -573,7 +573,7 @@ as adding/removing interfaces. static int driver_nl80211_send_mlme(void *priv, const u8 *data, size_t data_len, int noack, unsigned int freq, -@@ -15011,6 +15104,8 @@ const struct wpa_driver_ops wpa_driver_n +@@ -15014,6 +15107,8 @@ const struct wpa_driver_ops wpa_driver_n .set_acl = wpa_driver_nl80211_set_acl, .if_add = wpa_driver_nl80211_if_add, .if_remove = driver_nl80211_if_remove, diff --git a/package/network/services/hostapd/patches/740-snoop_iface.patch b/package/network/services/hostapd/patches/740-snoop_iface.patch index f40356ad23..ec907ea838 100644 --- a/package/network/services/hostapd/patches/740-snoop_iface.patch +++ b/package/network/services/hostapd/patches/740-snoop_iface.patch @@ -123,7 +123,7 @@ untagged DHCP packets * get_wowlan - Get wake-on-wireless status --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c -@@ -12893,7 +12893,7 @@ static const char * drv_br_net_param_str +@@ -12896,7 +12896,7 @@ static const char * drv_br_net_param_str static int wpa_driver_br_set_net_param(void *priv, enum drv_br_net_param param, @@ -132,7 +132,7 @@ untagged DHCP packets { struct i802_bss *bss = priv; char path[128]; -@@ -12919,8 +12919,11 @@ static int wpa_driver_br_set_net_param(v +@@ -12922,8 +12922,11 @@ static int wpa_driver_br_set_net_param(v return -EINVAL; } -- 2.30.2