From: Benjamin Berg <benjamin.berg@intel.com>
Date: Fri, 21 Nov 2025 13:46:43 +0000 (+0100)
Subject: NAN USD: Fix use-after free when a service expires
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83d3bc384257691c41339748dfa7abc99b0af42d;p=thirdparty%2Fhostap.git

NAN USD: Fix use-after free when a service expires

Cancelling the offload has to happen before the service is deleted, not
afterwards.

Fixes: f2ee7ca99c79 ("NAN USD: Trigger USD offload cancellation upon timer expiration")
CC: Vinay Gannevaram <quic_vganneva@quicinc.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
---

diff --git a/src/common/nan_de.c b/src/common/nan_de.c
index e4e20f3cb..5a5b761bd 100644
--- a/src/common/nan_de.c
+++ b/src/common/nan_de.c
@@ -605,7 +605,6 @@ static void nan_de_timer(void *eloop_ctx, void *timeout_ctx)
 		if (nan_de_srv_expired(srv, &now)) {
 			wpa_printf(MSG_DEBUG, "NAN: Service id %d expired",
 				   srv->id);
-			nan_de_del_srv(de, srv, NAN_DE_REASON_TIMEOUT);
 			if (srv->type == NAN_DE_PUBLISH &&
 			    de->cb.offload_cancel_publish)
 				de->cb.offload_cancel_publish(de->cb.ctx,
@@ -614,6 +613,7 @@ static void nan_de_timer(void *eloop_ctx, void *timeout_ctx)
 			    de->cb.offload_cancel_subscribe)
 				de->cb.offload_cancel_subscribe(de->cb.ctx,
 								srv->id);
+			nan_de_del_srv(de, srv, NAN_DE_REASON_TIMEOUT);
 			continue;
 		}