From 155bf110881290f2db6b8b4dc510aaa1dbc6a01a Mon Sep 17 00:00:00 2001 From: Andrew Elble Date: Thu, 7 Sep 2017 21:42:02 -0400 Subject: [PATCH] PMKSA: Fix use-after-free in pmksa_cache_clone_entry() pmksa_cache_add_entry() may actually free old_entry if the PMKSA cache is full. This can result in the PMKSA cache containing entries with corrupt expiration times. Signed-off-by: Andrew Elble --- src/rsn_supp/pmksa_cache.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c index e1cfa146a..a353404c2 100644 --- a/src/rsn_supp/pmksa_cache.c +++ b/src/rsn_supp/pmksa_cache.c @@ -367,6 +367,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, const u8 *aa) { struct rsn_pmksa_cache_entry *new_entry; + os_time_t old_expiration = old_entry->expiration; new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len, NULL, NULL, 0, @@ -378,7 +379,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, return NULL; /* TODO: reorder entries based on expiration time? */ - new_entry->expiration = old_entry->expiration; + new_entry->expiration = old_expiration; new_entry->opportunistic = 1; return new_entry;