[802.11] Fix a use-after-free

When we received an encrypted packet, after replacing it with its
decrypted version and freeing the encrypted original, we would
continue to look at the header of the now-freed original packet. Fix
by moving the header pointer to point at the decrypted packet instead.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/80211/net80211.c b/src/net/80211/net80211.c
index 7b39114526597ea4ad760869d5f542b147c6164a..ffa5c9110ac0f71fb21b8f40999438af84dbbb93 100644 (file)
--- a/src/net/80211/net80211.c
+++ b/src/net/80211/net80211.c
@@ -2720,6 +2720,7 @@ void net80211_rx ( struct net80211_device *dev, struct io_buffer *iob,
                }
                free_iob ( iob );
                iob = niob;
+               hdr = iob->data;
        }
 
        dev->last_signal = signal;