nl80211: Clear keys from heap memory before freeing it for get_seqnum

NL80211_CMD_GET_KEY response may return the actual key in addition to
the last used sequence number that we need. That might result in a key
being left in unused heap memory after the buffer is freed.

Explicitly clear the message payload with the possibly included key
material from heap memory before returning from the handler function
(and having libnl free the nlmsg) when key information is obtained from
the driver using the NL80211_CMD_GET_KEY command.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
vamsi krishna 2019-03-13 12:33:17 +05:30 committed by Jouni Malinen
parent 2b7fa03559
commit 4efade3157

View file

@ -6132,6 +6132,7 @@ static int get_key_handler(struct nl_msg *msg, void *arg)
if (tb[NL80211_ATTR_KEY_SEQ]) if (tb[NL80211_ATTR_KEY_SEQ])
memcpy(arg, nla_data(tb[NL80211_ATTR_KEY_SEQ]), memcpy(arg, nla_data(tb[NL80211_ATTR_KEY_SEQ]),
min_int(nla_len(tb[NL80211_ATTR_KEY_SEQ]), 6)); min_int(nla_len(tb[NL80211_ATTR_KEY_SEQ]), 6));
nl80211_nlmsg_clear(msg);
return NL_SKIP; return NL_SKIP;
} }