From 23ed011bea8e87fe662f888759f4d1e6b1e8d99d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 7 Feb 2015 01:13:34 +0200 Subject: [PATCH] Fix Linux packat socket regression work around Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux packet socket regression') added a mechanism to close the workaround bridge socket in l2_packet_receive(). However, it did not take into account the possibility of the l2->rx_callback() closing the l2_packet socket altogether. This could result in use of freed memory when usin RSN pre-authentication. Fix this by reordering the calls to clear the workaround socket before calling the rx_callback. Signed-off-by: Jouni Malinen --- src/l2_packet/l2_packet_linux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/l2_packet/l2_packet_linux.c b/src/l2_packet/l2_packet_linux.c index 68b20089b..c4e73f694 100644 --- a/src/l2_packet/l2_packet_linux.c +++ b/src/l2_packet/l2_packet_linux.c @@ -132,8 +132,6 @@ static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) return; } - l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res); - if (l2->fd_br_rx >= 0) { wpa_printf(MSG_DEBUG, "l2_packet_receive: Main packet socket for %s seems to have working RX - close workaround bridge socket", l2->ifname); @@ -141,6 +139,8 @@ static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) close(l2->fd_br_rx); l2->fd_br_rx = -1; } + + l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res); }