EAP-pwd server: Fix memory leak with salted passwords

The struct hostapd_eap_user changes with a new allocated variable were not covered in the RADIUS server code. Fix this by using eap_user_free() instead of custom memory freeing operation in radius_server.c. The hwsim tests with salted password (ap_wpa2_eap_pwd_salt_sha1, ap_wpa2_eap_pwd_salt_sha256, ap_wpa2_eap_pwd_salt_sha512) triggered these memory leaks. Fixes: d52ead3db7 ("EAP-pwd server: Add support for salted password databases") Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-03-03 09:52:22 +09:00 · 2019-03-03 09:52:22 +09:00 · 1e653daa31
commit 1e653daa31
parent 9ebbdd0aa3
3 changed files with 12 additions and 10 deletions
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@ -161,5 +161,6 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
 				   const u8 *username, size_t username_len,
 				   const u8 *challenge, const u8 *response);
 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
+void eap_user_free(struct eap_user *user);

 #endif /* EAP_H */
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@ -25,9 +25,6 @@

 #define EAP_MAX_AUTH_ROUNDS 50

-static void eap_user_free(struct eap_user *user);
-
-
 /* EAP state machines are described in RFC 4137 */

 static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount,
@ -1814,7 +1811,7 @@ int eap_server_sm_step(struct eap_sm *sm)
 }


-static void eap_user_free(struct eap_user *user)
+void eap_user_free(struct eap_user *user)
 {
 	if (user == NULL)
 		return;
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@ -686,7 +686,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 	int res;
 	struct radius_session *sess;
 	struct eap_config eap_conf;
-	struct eap_user tmp;
+	struct eap_user *tmp;

 	RADIUS_DEBUG("Creating a new session");

@ -697,12 +697,14 @@ radius_server_get_new_session(struct radius_server_data *data,
 	}
 	RADIUS_DUMP_ASCII("User-Name", user, user_len);

-	os_memset(&tmp, 0, sizeof(tmp));
-	res = data->get_eap_user(data->conf_ctx, user, user_len, 0, &tmp);
-	bin_clear_free(tmp.password, tmp.password_len);
+	tmp = os_zalloc(sizeof(*tmp));
+	if (!tmp)
+		return NULL;

+	res = data->get_eap_user(data->conf_ctx, user, user_len, 0, tmp);
 	if (res != 0) {
 		RADIUS_DEBUG("User-Name not found from user database");
+		eap_user_free(tmp);
 		return NULL;
 	}

@ -710,10 +712,12 @@ radius_server_get_new_session(struct radius_server_data *data,
 	sess = radius_server_new_session(data, client);
 	if (sess == NULL) {
 		RADIUS_DEBUG("Failed to create a new session");
+		eap_user_free(tmp);
 		return NULL;
 	}
-	sess->accept_attr = tmp.accept_attr;
-	sess->macacl = tmp.macacl;
+	sess->accept_attr = tmp->accept_attr;
+	sess->macacl = tmp->macacl;
+	eap_user_free(tmp);

 	sess->username = os_malloc(user_len * 4 + 1);
 	if (sess->username == NULL) {