]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0c62932)
NAN USD: Fix use-after free when a service expires
authorBenjamin Berg <benjamin.berg@intel.com>
Fri, 21 Nov 2025 13:46:43 +0000 (14:46 +0100)
committerJouni Malinen <j@w1.fi>
Mon, 1 Dec 2025 21:37:57 +0000 (23:37 +0200)
Cancelling the offload has to happen before the service is deleted, not
afterwards.

Fixes: f2ee7ca99c79 ("NAN USD: Trigger USD offload cancellation upon timer expiration")
CC: Vinay Gannevaram <quic_vganneva@quicinc.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
src/common/nan_de.c patch | blob | blame | history

diff --git a/src/common/nan_de.c b/src/common/nan_de.c
index e4e20f3cb82a08fbbac981ebccfe8a322420a378..5a5b761bd21904fa053501c153b92838171d496d 100644 (file)
--- a/src/common/nan_de.c
+++ b/src/common/nan_de.c
@@ -605,7 +605,6 @@ static void nan_de_timer(void *eloop_ctx, void *timeout_ctx)
                if (nan_de_srv_expired(srv, &now)) {
                        wpa_printf(MSG_DEBUG, "NAN: Service id %d expired",
                                   srv->id);
-                       nan_de_del_srv(de, srv, NAN_DE_REASON_TIMEOUT);
                        if (srv->type == NAN_DE_PUBLISH &&
                            de->cb.offload_cancel_publish)
                                de->cb.offload_cancel_publish(de->cb.ctx,
@@ -614,6 +613,7 @@ static void nan_de_timer(void *eloop_ctx, void *timeout_ctx)
                            de->cb.offload_cancel_subscribe)
                                de->cb.offload_cancel_subscribe(de->cb.ctx,
                                                                srv->id);
+                       nan_de_del_srv(de, srv, NAN_DE_REASON_TIMEOUT);
                        continue;
                }
 
Unnamed repository; edit this file 'description' to name the repository.