From 73aea88a62ac46464a2eec7a94a6350ae7a36bbf Mon Sep 17 00:00:00 2001
From: Joshua Oreman <oremanj@rwcr.net>
Date: Thu, 29 Jul 2010 20:13:31 -0700
Subject: [PATCH] [802.11] Fix a use-after-free

When we received an encrypted packet, after replacing it with its
decrypted version and freeing the encrypted original, we would
continue to look at the header of the now-freed original packet. Fix
by moving the header pointer to point at the decrypted packet instead.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/net/80211/net80211.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/net/80211/net80211.c b/src/net/80211/net80211.c
index 7b391145..ffa5c911 100644
--- a/src/net/80211/net80211.c
+++ b/src/net/80211/net80211.c
@@ -2720,6 +2720,7 @@ void net80211_rx ( struct net80211_device *dev, struct io_buffer *iob,
 		}
 		free_iob ( iob );
 		iob = niob;
+		hdr = iob->data;
 	}
 
 	dev->last_signal = signal;