From: Joshua Oreman <oremanj@rwcr.net>
Date: Fri, 30 Jul 2010 03:13:31 +0000 (-0700)
Subject: [802.11] Fix a use-after-free
X-Git-Tag: v1.20.1~2589
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73aea88a62ac46464a2eec7a94a6350ae7a36bbf;p=thirdparty%2Fipxe.git

[802.11] Fix a use-after-free

When we received an encrypted packet, after replacing it with its
decrypted version and freeing the encrypted original, we would
continue to look at the header of the now-freed original packet. Fix
by moving the header pointer to point at the decrypted packet instead.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/net/80211/net80211.c b/src/net/80211/net80211.c
index 7b3911452..ffa5c9110 100644
--- a/src/net/80211/net80211.c
+++ b/src/net/80211/net80211.c
@@ -2720,6 +2720,7 @@ void net80211_rx ( struct net80211_device *dev, struct io_buffer *iob,
 		}
 		free_iob ( iob );
 		iob = niob;
+		hdr = iob->data;
 	}
 
 	dev->last_signal = signal;