From e1a2332132957a7735a6aaf0f79c002d5c81618e Mon Sep 17 00:00:00 2001
From: Jaehyun Kim <jeik01.kim@samsung.com>
Date: Tue, 24 Sep 2024 17:19:37 +0900
Subject: [PATCH] Fix dereference after free in wifi band selection

Change-Id: I12475b502523ce860ede27eb00fff4c9e6c801d6
Signed-off-by: Jaehyun Kim <jeik01.kim@samsung.com>
---
 gsupplicant/supplicant.c | 52 ++++++++++++++++++++++++++----------------------
 1 file changed, 28 insertions(+), 24 deletions(-)

diff --git a/gsupplicant/supplicant.c b/gsupplicant/supplicant.c
index 8225637..1852c45 100755
--- a/gsupplicant/supplicant.c
+++ b/gsupplicant/supplicant.c
@@ -6656,29 +6656,21 @@ static bool set_band_freqs_5ghz(GSupplicantScanParams *scan_data)
 	return true;
 }
 
-static void set_band_freqs(GSupplicantScanParams **scan_data)
+static void set_band_freqs(GSupplicantScanParams *scan_data)
 {
-	GSupplicantScanParams *scan_data_local = NULL;
-
-	if (*scan_data && ((*scan_data)->num_ssids != 0 || (*scan_data)->num_freqs != 0))
-		return;
-
-	scan_data_local = g_try_malloc0(sizeof(GSupplicantScanParams));
-	if (!scan_data_local) {
-		SUPPLICANT_DBG("Failed to allocate memory.");
+	if (!scan_data || scan_data->num_ssids != 0 || scan_data->num_freqs != 0)
 		return;
-	}
 
 	switch (wifi_band_selection_method) {
 	case WIFI_BAND_SELECTION_2_4GHZ:
-		if (!set_band_freqs_2_4ghz(scan_data_local)) {
-			g_free(scan_data_local);
+		if (!set_band_freqs_2_4ghz(scan_data)) {
+			g_free(scan_data);
 			return;
 		}
 		break;
 	case WIFI_BAND_SELECTION_5GHZ:
-		if (!set_band_freqs_5ghz(scan_data_local)) {
-			g_free(scan_data_local);
+		if (!set_band_freqs_5ghz(scan_data)) {
+			g_free(scan_data);
 			return;
 		}
 		break;
@@ -6686,14 +6678,8 @@ static void set_band_freqs(GSupplicantScanParams **scan_data)
 		/* Currently not supported */
 		/* fall through */
 	default:
-		g_free(scan_data_local);
-		return;
+		break;
 	}
-
-	if (*scan_data)
-		g_supplicant_free_scan_params(*scan_data);
-
-	*scan_data = scan_data_local;
 }
 #endif
 
@@ -6718,13 +6704,28 @@ int g_supplicant_interface_scan(GSupplicantInterface *interface,
 #if defined TIZEN_EXT
 	data->interface->scan_callback = data->callback = callback;
 	data->interface->scan_data = data->user_data = user_data;
-	set_band_freqs(&scan_data);
-	print_scan_freqs(scan_data);
+
+	GSupplicantScanParams *scan_data_local = NULL;
+
+	if (scan_data) {
+		set_band_freqs(scan_data);
+		print_scan_freqs(scan_data);
+		data->scan_params = scan_data;
+	} else {
+		scan_data_local = g_try_malloc0(sizeof(GSupplicantScanParams));
+		if (!scan_data_local) {
+			SUPPLICANT_DBG("Failed to allocate memory.");
+		} else {
+			set_band_freqs(scan_data_local);
+			print_scan_freqs(scan_data_local);
+			data->scan_params = scan_data_local;
+		}
+	}
 #else
 	data->callback = callback;
 	data->user_data = user_data;
-#endif
 	data->scan_params = scan_data;
+#endif
 
 	interface->scan_callback = callback;
 	interface->scan_data = user_data;
@@ -6735,6 +6736,9 @@ int g_supplicant_interface_scan(GSupplicantInterface *interface,
 			interface);
 
 	if (ret < 0) {
+#if defined TIZEN_EXT
+		g_free(scan_data_local);
+#endif
 		g_free(data->path);
 		dbus_free(data);
 	}
-- 
2.7.4