diff --git a/wpa_supplicant-2.9/src/radius/radius_client.c b/wpa_supplicant-2.9/src/radius/radius_client.c
index a3db4048c4a7ad3d439b0ffdf4a07e97edef6704..6f2b2514be03ffe73e6c69d26d4574beb7f4fc67 100755
--- a/wpa_supplicant-2.9/src/radius/radius_client.c
+++ b/wpa_supplicant-2.9/src/radius/radius_client.c
@@ -821,7 +821,7 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 	struct radius_hdr *hdr;
 	struct radius_rx_handler *handlers;
 	size_t num_handlers, i;
-	struct radius_msg_list *req, *prev_req;
+	struct radius_msg_list *req, *prev_req, *r;
 	struct os_reltime now;
 	struct hostapd_radius_server *rconf;
 	int invalid_authenticator = 0;
@@ -877,7 +877,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		break;
 	}
 
-	prev_req = NULL;
 	req = radius->msgs;
 	while (req) {
 		/* TODO: also match by src addr:port of the packet when using
@@ -889,7 +888,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		    hdr->identifier)
 			break;
 
-		prev_req = req;
 		req = req->next;
 	}
 
@@ -912,13 +910,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		       roundtrip / 100, roundtrip % 100);
 	rconf->round_trip_time = roundtrip;
 
-	/* Remove ACKed RADIUS packet from retransmit list */
-	if (prev_req)
-		prev_req->next = req->next;
-	else
-		radius->msgs = req->next;
-	radius->num_msgs--;
-
 	for (i = 0; i < num_handlers; i++) {
 		RadiusRxResult res;
 		res = handlers[i].handler(msg, req->msg, req->shared_secret,
@@ -929,6 +920,19 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 			radius_msg_free(msg);
 			/* fall through */
 		case RADIUS_RX_QUEUED:
+			/* Remove ACKed RADIUS packet from retransmit list */
+			prev_req = NULL;
+			for (r = radius->msgs; r; r = r->next) {
+				if (r == req)
+					break;
+				prev_req = r;
+			}
+			if (prev_req)
+				prev_req->next = req->next;
+			else
+				radius->msgs = req->next;
+			radius->num_msgs--;
+
 			radius_client_msg_free(req);
 			return;
 		case RADIUS_RX_INVALID_AUTHENTICATOR:
@@ -950,7 +954,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		       msg_type, hdr->code, hdr->identifier,
 		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
 		       "");
-	radius_client_msg_free(req);
 
  fail:
 	radius_msg_free(msg);
diff --git a/wpa_supplicant-2.9_standard/src/radius/radius_client.c b/wpa_supplicant-2.9_standard/src/radius/radius_client.c
index 5f26576006bc300522b2cee8ad89d518ad3a1d2e..d576338f8dad9166446618e00fd963a4dcb584c6 100644
--- a/wpa_supplicant-2.9_standard/src/radius/radius_client.c
+++ b/wpa_supplicant-2.9_standard/src/radius/radius_client.c
@@ -1105,7 +1105,7 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 	struct radius_hdr *hdr;
 	struct radius_rx_handler *handlers;
 	size_t num_handlers, i;
-	struct radius_msg_list *req, *prev_req;
+	struct radius_msg_list *req, *prev_req, *r;
 	struct os_reltime now;
 	struct hostapd_radius_server *rconf;
 	int invalid_authenticator = 0;
@@ -1230,7 +1230,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		break;
 	}
 
-	prev_req = NULL;
 	req = radius->msgs;
 	while (req) {
 		/* TODO: also match by src addr:port of the packet when using
@@ -1242,7 +1241,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		    hdr->identifier)
 			break;
 
-		prev_req = req;
 		req = req->next;
 	}
 
@@ -1265,13 +1263,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		       roundtrip / 100, roundtrip % 100);
 	rconf->round_trip_time = roundtrip;
 
-	/* Remove ACKed RADIUS packet from retransmit list */
-	if (prev_req)
-		prev_req->next = req->next;
-	else
-		radius->msgs = req->next;
-	radius->num_msgs--;
-
 	for (i = 0; i < num_handlers; i++) {
 		RadiusRxResult res;
 		res = handlers[i].handler(msg, req->msg, req->shared_secret,
@@ -1282,6 +1273,19 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 			radius_msg_free(msg);
 			__attribute__((fallthrough));
 		case RADIUS_RX_QUEUED:
+			/* Remove ACKed RADIUS packet from retransmit list */
+			prev_req = NULL;
+			for (r = radius->msgs; r; r = r->next) {
+				if (r == req)
+					break;
+				prev_req = r;
+			}
+			if (prev_req)
+				prev_req->next = req->next;
+			else
+				radius->msgs = req->next;
+			radius->num_msgs--;
+
 			radius_client_msg_free(req);
 			return;
 		case RADIUS_RX_INVALID_AUTHENTICATOR:
@@ -1303,7 +1307,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
 		       msg_type, hdr->code, hdr->identifier,
 		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
 		       "");
-	radius_client_msg_free(req);
 
  fail:
 	radius_msg_free(msg);