From: Jouni Malinen <j@w1.fi>
Date: Fri, 6 Feb 2015 23:13:34 +0000 (+0200)
Subject: Fix Linux packat socket regression work around
X-Git-Tag: hostap_2_4~172
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23ed011bea8e87fe662f888759f4d1e6b1e8d99d;p=thirdparty%2Fhostap.git

Fix Linux packat socket regression work around

Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux
packet socket regression') added a mechanism to close the workaround
bridge socket in l2_packet_receive(). However, it did not take into
account the possibility of the l2->rx_callback() closing the l2_packet
socket altogether. This could result in use of freed memory when usin
RSN pre-authentication. Fix this by reordering the calls to clear the
workaround socket before calling the rx_callback.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/l2_packet/l2_packet_linux.c b/src/l2_packet/l2_packet_linux.c
index 68b20089b..c4e73f694 100644
--- a/src/l2_packet/l2_packet_linux.c
+++ b/src/l2_packet/l2_packet_linux.c
@@ -132,8 +132,6 @@ static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		return;
 	}
 
-	l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res);
-
 	if (l2->fd_br_rx >= 0) {
 		wpa_printf(MSG_DEBUG, "l2_packet_receive: Main packet socket for %s seems to have working RX - close workaround bridge socket",
 			   l2->ifname);
@@ -141,6 +139,8 @@ static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		close(l2->fd_br_rx);
 		l2->fd_br_rx = -1;
 	}
+
+	l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res);
 }