From 70fd8287eb3b1a62c6a7e78db511f1cc9ba43836 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 28 Feb 2015 20:52:08 +0200
Subject: [PATCH] RADIUS client: Fix previous failover change

Commit 347c55e216f22002246e378097a16ecb24b7c106 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a possibility of
executing RADIUS server failover change within
radius_client_retransmit() without taking into account that this
operation may end up freeing the pending message that is being
processed. This could result in use of freed memory. Avoid this by
checking whether any pending messages have been removed and if so, do
not try to retransmit the potentially freed message.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/radius/radius_client.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
index 95f18537a..76c76a6af 100644
--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
@@ -335,13 +335,18 @@ static int radius_client_retransmit(struct radius_client_data *radius,
 	struct hostapd_radius_servers *conf = radius->conf;
 	int s;
 	struct wpabuf *buf;
+	size_t prev_num_msgs;
 
 	if (entry->msg_type == RADIUS_ACCT ||
 	    entry->msg_type == RADIUS_ACCT_INTERIM) {
 		if (radius->acct_sock < 0)
 			radius_client_init_acct(radius);
-		if (radius->acct_sock < 0 && conf->num_acct_servers > 1)
+		if (radius->acct_sock < 0 && conf->num_acct_servers > 1) {
+			prev_num_msgs = radius->num_msgs;
 			radius_client_auth_failover(radius);
+			if (prev_num_msgs != radius->num_msgs)
+				return 0;
+		}
 		s = radius->acct_sock;
 		if (entry->attempts == 0)
 			conf->acct_server->requests++;
@@ -352,8 +357,12 @@ static int radius_client_retransmit(struct radius_client_data *radius,
 	} else {
 		if (radius->auth_sock < 0)
 			radius_client_init_auth(radius);
-		if (radius->auth_sock < 0 && conf->num_auth_servers > 1)
+		if (radius->auth_sock < 0 && conf->num_auth_servers > 1) {
+			prev_num_msgs = radius->num_msgs;
 			radius_client_auth_failover(radius);
+			if (prev_num_msgs != radius->num_msgs)
+				return 0;
+		}
 		s = radius->auth_sock;
 		if (entry->attempts == 0)
 			conf->auth_server->requests++;