projects / mech_eap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 13c3303)
Fix external radio work stopping to not read freed memory
authorJouni Malinen <j@w1.fi>
Sat, 31 May 2014 19:58:51 +0000 (22:58 +0300)
committerJouni Malinen <j@w1.fi>
Sat, 31 May 2014 19:58:51 +0000 (22:58 +0300)
The dynamically allocated struct wpa_external_work contains the name of
the radio work in the type field and this is used in a debug print
within radio_work_done(). Re-order radio_work_done() and os_free() calls
on couple of paths where the memory was freed before that final user of
the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant/ctrl_iface.c patch | blob | history

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 88a4cd9..53e23ff 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5808,8 +5808,8 @@ static void wpas_ctrl_radio_work_timeout(void *eloop_ctx, void *timeout_ctx)
                "Timing out external radio work %u (%s)",
                ework->id, work->type);
        wpa_msg(work->wpa_s, MSG_INFO, EXT_RADIO_WORK_TIMEOUT "%u", ework->id);
-       os_free(ework);
        radio_work_done(work);
+       os_free(ework);
 }
 
 
@@ -5951,8 +5951,8 @@ void wpas_ctrl_radio_work_flush(struct wpa_supplicant *wpa_s)
                if (work->started)
                        eloop_cancel_timeout(wpas_ctrl_radio_work_timeout,
                                             work, NULL);
-               os_free(ework);
                radio_work_done(work);
+               os_free(ework);
        }
 }
 
Moonshot GSS-API mechanism