EAP-pwd server: Fix memory leak with salted passwords

The struct hostapd_eap_user changes with a new allocated variable were
not covered in the RADIUS server code. Fix this by using eap_user_free()
instead of custom memory freeing operation in radius_server.c.

The hwsim tests with salted password (ap_wpa2_eap_pwd_salt_sha1,
ap_wpa2_eap_pwd_salt_sha256, ap_wpa2_eap_pwd_salt_sha512) triggered
these memory leaks.

Fixes: d52ead3db7 ("EAP-pwd server: Add support for salted password databases")
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This commit is contained in:
Masashi Honma 2019-03-03 09:52:22 +09:00 committed by Jouni Malinen
parent 9ebbdd0aa3
commit 1e653daa31
3 changed files with 12 additions and 10 deletions

View file

@ -161,5 +161,6 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
const u8 *username, size_t username_len, const u8 *username, size_t username_len,
const u8 *challenge, const u8 *response); const u8 *challenge, const u8 *response);
void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len); void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
void eap_user_free(struct eap_user *user);
#endif /* EAP_H */ #endif /* EAP_H */

View file

@ -25,9 +25,6 @@
#define EAP_MAX_AUTH_ROUNDS 50 #define EAP_MAX_AUTH_ROUNDS 50
static void eap_user_free(struct eap_user *user);
/* EAP state machines are described in RFC 4137 */ /* EAP state machines are described in RFC 4137 */
static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount, static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount,
@ -1814,7 +1811,7 @@ int eap_server_sm_step(struct eap_sm *sm)
} }
static void eap_user_free(struct eap_user *user) void eap_user_free(struct eap_user *user)
{ {
if (user == NULL) if (user == NULL)
return; return;

View file

@ -686,7 +686,7 @@ radius_server_get_new_session(struct radius_server_data *data,
int res; int res;
struct radius_session *sess; struct radius_session *sess;
struct eap_config eap_conf; struct eap_config eap_conf;
struct eap_user tmp; struct eap_user *tmp;
RADIUS_DEBUG("Creating a new session"); RADIUS_DEBUG("Creating a new session");
@ -697,12 +697,14 @@ radius_server_get_new_session(struct radius_server_data *data,
} }
RADIUS_DUMP_ASCII("User-Name", user, user_len); RADIUS_DUMP_ASCII("User-Name", user, user_len);
os_memset(&tmp, 0, sizeof(tmp)); tmp = os_zalloc(sizeof(*tmp));
res = data->get_eap_user(data->conf_ctx, user, user_len, 0, &tmp); if (!tmp)
bin_clear_free(tmp.password, tmp.password_len); return NULL;
res = data->get_eap_user(data->conf_ctx, user, user_len, 0, tmp);
if (res != 0) { if (res != 0) {
RADIUS_DEBUG("User-Name not found from user database"); RADIUS_DEBUG("User-Name not found from user database");
eap_user_free(tmp);
return NULL; return NULL;
} }
@ -710,10 +712,12 @@ radius_server_get_new_session(struct radius_server_data *data,
sess = radius_server_new_session(data, client); sess = radius_server_new_session(data, client);
if (sess == NULL) { if (sess == NULL) {
RADIUS_DEBUG("Failed to create a new session"); RADIUS_DEBUG("Failed to create a new session");
eap_user_free(tmp);
return NULL; return NULL;
} }
sess->accept_attr = tmp.accept_attr; sess->accept_attr = tmp->accept_attr;
sess->macacl = tmp.macacl; sess->macacl = tmp->macacl;
eap_user_free(tmp);
sess->username = os_malloc(user_len * 4 + 1); sess->username = os_malloc(user_len * 4 + 1);
if (sess->username == NULL) { if (sess->username == NULL) {