From 3a593ff5b24440dfdfbc0764a748f370956159f5 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 31 Dec 2014 16:54:48 +0200 Subject: [PATCH] D-Bus (old): Fix removeNetwork method to not use freed memory wpa_supplicant_deauthenticate() call needs to happen before wpa_config_remove_network(). Freed memory could be dereferenced if removeNetwork method was issued on the currently connected network. Signed-off-by: Jouni Malinen --- wpa_supplicant/dbus/dbus_old_handlers.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/wpa_supplicant/dbus/dbus_old_handlers.c b/wpa_supplicant/dbus/dbus_old_handlers.c index 0f1f5cfc6..b9c631d76 100644 --- a/wpa_supplicant/dbus/dbus_old_handlers.c +++ b/wpa_supplicant/dbus/dbus_old_handlers.c @@ -866,6 +866,10 @@ DBusMessage * wpas_dbus_iface_remove_network(DBusMessage *message, wpas_notify_network_removed(wpa_s, ssid); + if (ssid == wpa_s->current_ssid) + wpa_supplicant_deauthenticate(wpa_s, + WLAN_REASON_DEAUTH_LEAVING); + if (wpa_config_remove_network(wpa_s->conf, id) < 0) { reply = dbus_message_new_error(message, WPAS_ERROR_REMOVE_NETWORK_ERROR, @@ -874,9 +878,6 @@ DBusMessage * wpas_dbus_iface_remove_network(DBusMessage *message, goto out; } - if (ssid == wpa_s->current_ssid) - wpa_supplicant_deauthenticate(wpa_s, - WLAN_REASON_DEAUTH_LEAVING); reply = wpas_dbus_new_success_reply(message); out: