A recent change to this moved the place where the processed RADIUS
request was removed from the pending list to happen after the message
handler had been called. This did not take into account possibility of
the handler adding a new pending request in the list and the prev_req
pointer not necessarily pointing to the correct entry anymore. As such,
some of the pending requests could have been lost and that would result
in not being able to process responses to those requests and also, to a
memory leak.
Fix this by determining prev_req at the point when the pending request
is being removed, i.e., after the handler function has already added a
new entry.
Fixes: 726432d7622c ("RADIUS: Drop pending request only when accepting the response")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
struct radius_hdr *hdr;
struct radius_rx_handler *handlers;
size_t num_handlers, i;
- struct radius_msg_list *req, *prev_req;
+ struct radius_msg_list *req, *prev_req, *r;
struct os_reltime now;
struct hostapd_radius_server *rconf;
int invalid_authenticator = 0;
break;
}
- prev_req = NULL;
req = radius->msgs;
while (req) {
/* TODO: also match by src addr:port of the packet when using
hdr->identifier)
break;
- prev_req = req;
req = req->next;
}
/* fall through */
case RADIUS_RX_QUEUED:
/* Remove ACKed RADIUS packet from retransmit list */
+ prev_req = NULL;
+ for (r = radius->msgs; r; r = r->next) {
+ if (r == req)
+ break;
+ prev_req = r;
+ }
if (prev_req)
prev_req->next = req->next;
else
projects / thirdparty / hostap.git / commitdiff
