From df48efc5aba6e4f360cd41cac67aa1859607ea2c Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 31 May 2014 22:58:51 +0300
Subject: [PATCH] Fix external radio work stopping to not read freed memory

The dynamically allocated struct wpa_external_work contains the name of
the radio work in the type field and this is used in a debug print
within radio_work_done(). Re-order radio_work_done() and os_free() calls
on couple of paths where the memory was freed before that final user of
the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/ctrl_iface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 88a4cd95f..53e23fff0 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -5808,8 +5808,8 @@ static void wpas_ctrl_radio_work_timeout(void *eloop_ctx, void *timeout_ctx)
 		"Timing out external radio work %u (%s)",
 		ework->id, work->type);
 	wpa_msg(work->wpa_s, MSG_INFO, EXT_RADIO_WORK_TIMEOUT "%u", ework->id);
-	os_free(ework);
 	radio_work_done(work);
+	os_free(ework);
 }
 
 
@@ -5951,8 +5951,8 @@ void wpas_ctrl_radio_work_flush(struct wpa_supplicant *wpa_s)
 		if (work->started)
 			eloop_cancel_timeout(wpas_ctrl_radio_work_timeout,
 					     work, NULL);
-		os_free(ework);
 		radio_work_done(work);
+		os_free(ework);
 	}
 }