EAP-pwd peer: Fix memory leak in eap_pwd_perform_confirm_exchange()

hash variable is allocated memory using eap_pwd_h_init(), but there are couple of error case code paths which skips deallocation of hash. The memory of hash is deallocated using eap_pwd_h_final(). Fix this by calling eap_pwd_h_final() at the end of the function if execution got there through one of those error cases. Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2018-08-21 17:07:51 +05:30 · 2018-08-21 17:07:51 +05:30 · 391d922bcf
commit 391d922bcf
parent 30a67736dc
1 changed files with 7 additions and 1 deletions
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@ -696,7 +696,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 				 const struct wpabuf *reqData,
 				 const u8 *payload, size_t payload_len)
 {
-	struct crypto_hash *hash;
+	struct crypto_hash *hash = NULL;
 	u32 cs;
 	u16 grp;
 	u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
@ -783,6 +783,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,

 	/* random function fin */
 	eap_pwd_h_final(hash, conf);
+	hash = NULL;

 	ptr = (u8 *) payload;
 	if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
@ -836,6 +837,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,

 	/* all done */
 	eap_pwd_h_final(hash, conf);
+	hash = NULL;

 	if (compute_keys(data->grp, data->k,
 			 data->my_scalar, data->server_scalar, conf, ptr,
@ -860,6 +862,10 @@ fin:
 	} else {
 		eap_pwd_state(data, SUCCESS_ON_FRAG_COMPLETION);
 	}
+
+	/* clean allocated memory */
+	if (hash)
+		eap_pwd_h_final(hash, conf);
 }