[PATCH 2/2] NAN USD: Fix use-after free when a service expires

Fri Nov 21 05:46:43 PST 2025

From: Benjamin Berg <benjamin.berg at intel.com>

Cancelling the offload has to happen before the service is deleted, not
afterwards.

Fixes: f2ee7ca99c79 ("NAN USD: Trigger USD offload cancellation upon timer expiration")
CC: Vinay Gannevaram <quic_vganneva at quicinc.com>
Signed-off-by: Benjamin Berg <benjamin.berg at intel.com>
---
 src/common/nan_de.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/common/nan_de.c b/src/common/nan_de.c
index e4e20f3cb8..5a5b761bd2 100644
--- a/src/common/nan_de.c
+++ b/src/common/nan_de.c
@@ -605,7 +605,6 @@ static void nan_de_timer(void *eloop_ctx, void *timeout_ctx)
 		if (nan_de_srv_expired(srv, &now)) {
 			wpa_printf(MSG_DEBUG, "NAN: Service id %d expired",
 				   srv->id);
-			nan_de_del_srv(de, srv, NAN_DE_REASON_TIMEOUT);
 			if (srv->type == NAN_DE_PUBLISH &&
 			    de->cb.offload_cancel_publish)
 				de->cb.offload_cancel_publish(de->cb.ctx,
@@ -614,6 +613,7 @@ static void nan_de_timer(void *eloop_ctx, void *timeout_ctx)
 			    de->cb.offload_cancel_subscribe)
 				de->cb.offload_cancel_subscribe(de->cb.ctx,
 								srv->id);
+			nan_de_del_srv(de, srv, NAN_DE_REASON_TIMEOUT);
 			continue;
 		}
 
-- 
2.51.1


