Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

P2P NFC: Fix use of freed memory

The dev_found() callback from NFC connection handover message processing
ended up using the p2p_dev_addr pointer that points to the parsed
message. However, that parsed data was freed just before the call. Fix
this by reordering the calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 10 years ago
parent
df48efc5ab
commit
8a387a269d
1 changed files with 2 additions and 2 deletions
Split View Show Diff Stats
  1. 2 2
      src/p2p/p2p.c

+ 2 - 2
src/p2p/p2p.c
View File 

@@ -4638,10 +4638,9 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
 
 			  params->go_ssid_len);
 
 	}
 
 
-	p2p_parse_free(&msg);
 
-
 
 	if (dev->flags & P2P_DEV_USER_REJECTED) {
 
 		p2p_dbg(p2p, "Do not report rejected device");
 
+		p2p_parse_free(&msg);
 
 		return 0;
 
 	}
 
 
@@ -4650,6 +4649,7 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
 
 				    !(dev->flags & P2P_DEV_REPORTED_ONCE));
 
 		dev->flags |= P2P_DEV_REPORTED | P2P_DEV_REPORTED_ONCE;
 
 	}
 
+	p2p_parse_free(&msg);
 
 
 	if (role == P2P_GO_IN_A_GROUP && p2p->num_groups > 0)
 
 		params->next_step = BOTH_GO;