Fix Linux packat socket regression work around

Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux
packet socket regression') added a mechanism to close the workaround
bridge socket in l2_packet_receive(). However, it did not take into
account the possibility of the l2->rx_callback() closing the l2_packet
socket altogether. This could result in use of freed memory when usin
RSN pre-authentication. Fix this by reordering the calls to clear the
workaround socket before calling the rx_callback.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/l2_packet/l2_packet_linux.c b/src/l2_packet/l2_packet_linux.c
index 68b20089b1025e3c49fe2cc06ce8b442dc82d416..c4e73f69486438b36e38172aadf9f4964a2a3504 100644 (file)
--- a/src/l2_packet/l2_packet_linux.c
+++ b/src/l2_packet/l2_packet_linux.c
@@ -132,8 +132,6 @@ static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx)
                return;
        }
 
-       l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res);
-
        if (l2->fd_br_rx >= 0) {
                wpa_printf(MSG_DEBUG, "l2_packet_receive: Main packet socket for %s seems to have working RX - close workaround bridge socket",
                           l2->ifname);
@@ -141,6 +139,8 @@ static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx)
                close(l2->fd_br_rx);
                l2->fd_br_rx = -1;
        }
+
+       l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res);
 }