From c1ff06e11945d635c39ddaf8ec00939054fc4308 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Fri, 23 Oct 2020 03:47:29 +0200 Subject: [PATCH] iwd: Fix a use after free In connection_removed we use the id.name that was being g_freed a few lines further down. Fixes: bea6c403677f ('wifi/iwd: handle forgetting connection profiles') --- src/devices/wifi/nm-iwd-manager.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/devices/wifi/nm-iwd-manager.c b/src/devices/wifi/nm-iwd-manager.c index a19c8b2afd..402480d279 100644 --- a/src/devices/wifi/nm-iwd-manager.c +++ b/src/devices/wifi/nm-iwd-manager.c @@ -692,15 +692,16 @@ connection_removed(NMSettings *settings, NMSettingsConnection *sett_conn, gpoint gboolean mapped; KnownNetworkData * data; KnownNetworkId id; + gs_free char * ssid_str = NULL; id.security = nm_wifi_connection_get_iwd_security(conn, &mapped); if (!mapped) return; s_wireless = nm_connection_get_setting_wireless(conn); - id.name = _nm_utils_ssid_to_utf8(nm_setting_wireless_get_ssid(s_wireless)); + ssid_str = _nm_utils_ssid_to_utf8(nm_setting_wireless_get_ssid(s_wireless)); + id.name = ssid_str; data = g_hash_table_lookup(priv->known_networks, &id); - g_free((char *) id.name); if (!data) return;