P2P NFC: Fix use of freed memory

The dev_found() callback from NFC connection handover message processing
ended up using the p2p_dev_addr pointer that points to the parsed
message. However, that parsed data was freed just before the call. Fix
this by reordering the calls.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 1a190414b07bf33e937882c6d55b0204fb77907e..1875ca4d40b7c71bfadc5efe70dd03f5d7aae3d6 100644 (file)
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -4638,10 +4638,9 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
                          params->go_ssid_len);
        }
 
-       p2p_parse_free(&msg);
-
        if (dev->flags & P2P_DEV_USER_REJECTED) {
                p2p_dbg(p2p, "Do not report rejected device");
+               p2p_parse_free(&msg);
                return 0;
        }
 
@@ -4650,6 +4649,7 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
                                    !(dev->flags & P2P_DEV_REPORTED_ONCE));
                dev->flags |= P2P_DEV_REPORTED | P2P_DEV_REPORTED_ONCE;
        }
+       p2p_parse_free(&msg);
 
        if (role == P2P_GO_IN_A_GROUP && p2p->num_groups > 0)
                params->next_step = BOTH_GO;