Fix dereference after free in wifi band selection

Change-Id: I12475b502523ce860ede27eb00fff4c9e6c801d6
Signed-off-by: Jaehyun Kim <jeik01.kim@samsung.com>

diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index 8225637..1852c45 100755 (executable)
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -6656,29 +6656,21 @@ static bool set_band_freqs_5ghz(GSupplicantScanParams *scan_data)
        return true;
 }
 
-static void set_band_freqs(GSupplicantScanParams **scan_data)
+static void set_band_freqs(GSupplicantScanParams *scan_data)
 {
-       GSupplicantScanParams *scan_data_local = NULL;
-
-       if (*scan_data && ((*scan_data)->num_ssids != 0 || (*scan_data)->num_freqs != 0))
-               return;
-
-       scan_data_local = g_try_malloc0(sizeof(GSupplicantScanParams));
-       if (!scan_data_local) {
-               SUPPLICANT_DBG("Failed to allocate memory.");
+       if (!scan_data || scan_data->num_ssids != 0 || scan_data->num_freqs != 0)
                return;
-       }
 
        switch (wifi_band_selection_method) {
        case WIFI_BAND_SELECTION_2_4GHZ:
-               if (!set_band_freqs_2_4ghz(scan_data_local)) {
-                       g_free(scan_data_local);
+               if (!set_band_freqs_2_4ghz(scan_data)) {
+                       g_free(scan_data);
                        return;
                }
                break;
        case WIFI_BAND_SELECTION_5GHZ:
-               if (!set_band_freqs_5ghz(scan_data_local)) {
-                       g_free(scan_data_local);
+               if (!set_band_freqs_5ghz(scan_data)) {
+                       g_free(scan_data);
                        return;
                }
                break;
@@ -6686,14 +6678,8 @@ static void set_band_freqs(GSupplicantScanParams **scan_data)
                /* Currently not supported */
                /* fall through */
        default:
-               g_free(scan_data_local);
-               return;
+               break;
        }
-
-       if (*scan_data)
-               g_supplicant_free_scan_params(*scan_data);
-
-       *scan_data = scan_data_local;
 }
 #endif
 
@@ -6718,13 +6704,28 @@ int g_supplicant_interface_scan(GSupplicantInterface *interface,
 #if defined TIZEN_EXT
        data->interface->scan_callback = data->callback = callback;
        data->interface->scan_data = data->user_data = user_data;
-       set_band_freqs(&scan_data);
-       print_scan_freqs(scan_data);
+
+       GSupplicantScanParams *scan_data_local = NULL;
+
+       if (scan_data) {
+               set_band_freqs(scan_data);
+               print_scan_freqs(scan_data);
+               data->scan_params = scan_data;
+       } else {
+               scan_data_local = g_try_malloc0(sizeof(GSupplicantScanParams));
+               if (!scan_data_local) {
+                       SUPPLICANT_DBG("Failed to allocate memory.");
+               } else {
+                       set_band_freqs(scan_data_local);
+                       print_scan_freqs(scan_data_local);
+                       data->scan_params = scan_data_local;
+               }
+       }
 #else
        data->callback = callback;
        data->user_data = user_data;
-#endif
        data->scan_params = scan_data;
+#endif
 
        interface->scan_callback = callback;
        interface->scan_data = user_data;
@@ -6735,6 +6736,9 @@ int g_supplicant_interface_scan(GSupplicantInterface *interface,
                        interface);
 
        if (ret < 0) {
+#if defined TIZEN_EXT
+               g_free(scan_data_local);
+#endif
                g_free(data->path);
                dbus_free(data);
        }