mwifiex: fix use-after-free in beacon_ie processing
beacon_ie buffer is allocated in mwifiex_fill_new_bss_desc()
and the buffer pointer is saved in bss_desc->beacon_buf.
beacon_ie is freed before the function returns. However,
bss_desc->beacon_buf is still being accessed afterwards.
Fix it by allocating and freeing the beacon_ie buffer in
caller's scope.
BUG=chrome-os-partner:18602
TEST=able to associate to AP with and without
slub_debug=FZPUA kernel option.
Change-Id: If6ba90dc3a6d6890a4c891a0c4ab06d46f8cdcc9
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/47621
Reviewed-by: Doug Anderson <dianders@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>