Fix use-after-free bug when removing a connected network

When removing a network to which wpa_s is currently connected
the network wpa_ssid struct is freed however wpa_s->current_ssid
keeps pointing to it.
current_ssid is being used later on when handling the disassoc
event. This has been seen to lead to wpa_s crash as well as
using corrupted data from wpa_s->current_ssid.

Fix this by refactoring the removal code into a new function and
do the disconnection which uses wpa_s->current_ssid before the
actual removal. The refactoring is required as preparation for
fixes in additional places where this bug exists like dbus.
Changed wpa_supplicant_disassociate to wpa_supplicant_deauthenticate
as there's a mix of these in different handlers of remove network
which doesn't seem right.

Signed-off-by: Eyal Shapira <eyal@wizery.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index b608f29..8323547 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -611,7 +611,8 @@ void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s,
 				   int reason_code);
 void wpa_supplicant_disassociate(struct wpa_supplicant *wpa_s,
 				 int reason_code);
-
+void wpa_supplicant_remove_network(struct wpa_supplicant *wpa_s,
+				   struct wpa_ssid *ssid);
 void wpa_supplicant_enable_network(struct wpa_supplicant *wpa_s,
 				   struct wpa_ssid *ssid);
 void wpa_supplicant_disable_network(struct wpa_supplicant *wpa_s,