dbus: Reorder deauthentication and cleanup calls when removing a network

Valgrind indicates reference to already freed memory if function
wpa_config_remove_network() is called prior to calling
wpa_supplicant_deauthenticate(), and this can lead to a crash.
Inverting the call order fixes the problem.

Signed-off-by: Hannu Mallat <hannu.mallat@jollamobile.com>

diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index 33a1ba94dde4fc3fcb1fe3f88e7154f53d1056d5..bd38d65e034f1f50b9d797bcaf76ed97bdb09c31 100644 (file)
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -1583,16 +1583,6 @@ DBusMessage * wpas_dbus_handler_remove_network(DBusMessage *message,
 
        wpas_notify_network_removed(wpa_s, ssid);
 
-       if (wpa_config_remove_network(wpa_s->conf, id) < 0) {
-               wpa_printf(MSG_ERROR,
-                          "wpas_dbus_handler_remove_network[dbus]: "
-                          "error occurred when removing network %d", id);
-               reply = wpas_dbus_error_unknown_error(
-                       message, "error removing the specified network on "
-                       "this interface.");
-               goto out;
-       }
-
        if (ssid == wpa_s->current_ssid)
                wpa_supplicant_deauthenticate(wpa_s,
                                              WLAN_REASON_DEAUTH_LEAVING);
@@ -1603,6 +1593,15 @@ DBusMessage * wpas_dbus_handler_remove_network(DBusMessage *message,
                wpa_supplicant_req_scan(wpa_s, 0, 0);
        }
 
+       if (wpa_config_remove_network(wpa_s->conf, id) < 0) {
+               wpa_printf(MSG_ERROR,
+                          "wpas_dbus_handler_remove_network[dbus]: "
+                          "error occurred when removing network %d", id);
+               reply = wpas_dbus_error_unknown_error(
+                       message, "error removing the specified network on "
+                       "this interface.");
+               goto out;
+       }
 
 out:
        os_free(iface);