From 3774519631203e4c3b05ad6c32ce1e8aaca54d2e Mon Sep 17 00:00:00 2001
From: Andreas Eversberg <jolly@eversberg.eu>
Date: Sun, 2 Jul 2017 10:44:47 +0200
Subject: NMT: Fixed "use after free" bug

---
 src/nmt/nmt.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/nmt')

diff --git a/src/nmt/nmt.c b/src/nmt/nmt.c
index 1ab0af0..1739886 100644
--- a/src/nmt/nmt.c
+++ b/src/nmt/nmt.c
@@ -706,10 +706,11 @@ static void tx_roaming_ident(nmt_t *nmt, frame_t *frame)
 {
 	if (++nmt->tx_frame_count == 1)
 		PDEBUG_CHAN(DNMT, DEBUG_INFO, "Sending identity request.\n");
+	tx_ident(nmt, frame);
 	if (nmt->tx_frame_count == 8) {
+		PDEBUG_CHAN(DNMT, DEBUG_NOTICE, "Timeout waiting for identity reply\n");
 		nmt_release(nmt);
 	}
-	tx_ident(nmt, frame);
 }
 
 static void rx_roaming_ident(nmt_t *nmt, frame_t *frame)
@@ -763,10 +764,11 @@ static void tx_mo_ident(nmt_t *nmt, frame_t *frame)
 {
 	if (++nmt->tx_frame_count == 1)
 		PDEBUG_CHAN(DNMT, DEBUG_INFO, "Sending identity request.\n");
+	tx_ident(nmt, frame);
 	if (nmt->tx_frame_count == 8) {
+		PDEBUG_CHAN(DNMT, DEBUG_NOTICE, "Timeout waiting for identity reply\n");
 		nmt_release(nmt);
 	}
-	tx_ident(nmt, frame);
 }
 
 static void rx_mo_ident(nmt_t *nmt, frame_t *frame)
@@ -1023,12 +1025,13 @@ static void tx_mt_ident(nmt_t *nmt, frame_t *frame)
 
 	if (++nmt->tx_frame_count == 1)
 		PDEBUG_CHAN(DNMT, DEBUG_INFO, "Sending identity request.\n");
+	tx_ident(nmt, frame);
 	if (nmt->tx_frame_count == 8) {
+		PDEBUG_CHAN(DNMT, DEBUG_NOTICE, "Timeout waiting for identity reply\n");
 		PDEBUG_CHAN(DNMT, DEBUG_INFO, "Release call towards network.\n");
 		call_in_release(trans->callref, CAUSE_TEMPFAIL);
 		destroy_transaction(trans);
 	}
-	tx_ident(nmt, frame);
 }
 
 static void rx_mt_ident(nmt_t *nmt, frame_t *frame)
-- 
cgit v1.2.3