Fix external radio_work deinit path

The radio_work type was stored within the dynamically allocated
wpa_radio_work buffer and that buffer ended up getting freed before the
final use of the type string within radio_work_done(). This resulted in
freed memory being used for a debug print. Avoid this by freeing the
wpa_external_work instance after having completed radio_work_done() for
the related work.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 65b2f7d..4dc886e 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5658,8 +5658,8 @@ static int wpas_ctrl_radio_work_done(struct wpa_supplicant *wpa_s, char *cmd)
                        "Completed external radio work %u (%s)",
                        ework->id, ework->type);
                eloop_cancel_timeout(wpas_ctrl_radio_work_timeout, work, NULL);
-               os_free(ework);
                radio_work_done(work);
+               os_free(ework);
                return 3; /* "OK\n" */
        }