From 8a387a269ddfcc79d455693c1822b287ef6fcb05 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 31 May 2014 23:10:33 +0300
Subject: [PATCH] P2P NFC: Fix use of freed memory

The dev_found() callback from NFC connection handover message processing
ended up using the p2p_dev_addr pointer that points to the parsed
message. However, that parsed data was freed just before the call. Fix
this by reordering the calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/p2p/p2p.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 1a190414b..1875ca4d4 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -4638,10 +4638,9 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
 			  params->go_ssid_len);
 	}
 
-	p2p_parse_free(&msg);
-
 	if (dev->flags & P2P_DEV_USER_REJECTED) {
 		p2p_dbg(p2p, "Do not report rejected device");
+		p2p_parse_free(&msg);
 		return 0;
 	}
 
@@ -4650,6 +4649,7 @@ int p2p_process_nfc_connection_handover(struct p2p_data *p2p,
 				    !(dev->flags & P2P_DEV_REPORTED_ONCE));
 		dev->flags |= P2P_DEV_REPORTED | P2P_DEV_REPORTED_ONCE;
 	}
+	p2p_parse_free(&msg);
 
 	if (role == P2P_GO_IN_A_GROUP && p2p->num_groups > 0)
 		params->next_step = BOTH_GO;