From 3d490296bcdb6221e0e00b1c3ca3ca2f3ff444bf Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 2 Nov 2020 16:52:01 +0200 Subject: [PATCH] DPP2: Fix error path handling in enterprise provisioning The allocated memory pointed by the pem pointer was freed on an error path without clearing the pointer to NULL before returning it from the function. This could have resulted in use of freed memory in an error case. Fix this by clearing the pointer so that the function returns NULL properly in the case of this error. Fixes: ace3723d9879 ("DPP2: Enterprise provisioning (Enrollee)") Signed-off-by: Jouni Malinen --- src/common/dpp_crypto.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c index 37c2b692b..c75fc7871 100644 --- a/src/common/dpp_crypto.c +++ b/src/common/dpp_crypto.c @@ -2868,6 +2868,7 @@ struct wpabuf * dpp_pkcs7_certs(const struct wpabuf *pkcs7) res = BIO_read(out, wpabuf_put(pem, 0), rlen); if (res <= 0) { wpabuf_free(pem); + pem = NULL; goto fail; } wpabuf_put(pem, res);