From 661afb2edd016932f10b39065745434c6097fd16 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 5 Jun 2018 14:18:41 +0300
Subject: [PATCH] FT: Fix RRB error path handling

When building an RRB message, a failure in wpa_ft_rrb_lin() calls could
have resulted in trying to free an uninitialized pointer. Fix this by
initializing *packet to NULL before going through the initial steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/ap/wpa_auth_ft.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 2fa85bbd8..fab958199 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -505,6 +505,7 @@ static int wpa_ft_rrb_build(const u8 *key, const size_t key_len,
 	size_t plain_len = 0, auth_len = 0;
 	int ret = -1;
 
+	*packet = NULL;
 	if (wpa_ft_rrb_lin(tlvs_enc0, tlvs_enc1, vlan, &plain, &plain_len) < 0)
 		goto out;