From 83e003a9132a33921e8e284f07aeab1d72153131 Mon Sep 17 00:00:00 2001
From: Ilan Peer <ilan.peer@intel.com>
Date: Thu, 8 Jun 2017 11:17:59 +0300
Subject: [PATCH] EAP-TTLS: Fix possible memory leak in
 eap_ttls_phase2_request_mschap()

The msg buffer needs to be freed on these two error paths.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 src/eap_peer/eap_ttls.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index 01112b5df..c8a05fdca 100644
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -625,15 +625,25 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
 	pos += 24;
 	if (pwhash) {
 		/* NT-Response */
-		if (challenge_response(challenge, password, pos))
+		if (challenge_response(challenge, password, pos)) {
+			wpa_printf(MSG_ERROR,
+				   "EAP-TTLS/MSCHAP: Failed derive password hash");
+			wpabuf_free(msg);
 			return -1;
+		}
+
 		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
 				password, 16);
 	} else {
 		/* NT-Response */
 		if (nt_challenge_response(challenge, password, password_len,
-					  pos))
+					  pos)) {
+			wpa_printf(MSG_ERROR,
+				   "EAP-TTLS/MSCHAP: Failed derive password");
+			wpabuf_free(msg);
 			return -1;
+		}
+
 		wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
 				      password, password_len);
 	}