wispr: Prevent use-after-free from __connman_wispr_stop()

From __connman_wispr_stop(), list element wispr_portal freed by
g_hash_table_remove() is accessed. Prevent the use-after-free by
accessing the list element before free.

Change-Id: I17fdb38c1d9a0f8dd2980c33d3f78f319f504ed6

diff --git a/src/wispr.c b/src/wispr.c
index fb101a1..4674ae4 100755 (executable)
--- a/src/wispr.c
+++ b/src/wispr.c
@@ -1047,17 +1047,11 @@ void __connman_wispr_stop(struct connman_service *service)
        if (!wispr_portal)
                return;
 
-       if (wispr_portal->ipv4_context) {
-               if (service == wispr_portal->ipv4_context->service)
-                       g_hash_table_remove(wispr_portal_list,
-                                       GINT_TO_POINTER(index));
-       }
-
-       if (wispr_portal->ipv6_context) {
-               if (service == wispr_portal->ipv6_context->service)
-                       g_hash_table_remove(wispr_portal_list,
-                                       GINT_TO_POINTER(index));
-       }
+       if ((wispr_portal->ipv4_context &&
+            service == wispr_portal->ipv4_context->service) ||
+           (wispr_portal->ipv6_context &&
+            service == wispr_portal->ipv6_context->service))
+               g_hash_table_remove(wispr_portal_list, GINT_TO_POINTER(index));
 }
 
 int __connman_wispr_init(void)