jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

EAP-pwd server: Fix a memory leak on error path

Browse source 
eap_pwd_h_final() needs to be called to free the value from
eap_pwd_h_init() even in error cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-04-17 01:28:31 +03:00 committed by Jouni Malinen
parent 0a9ff3810b
commit a9d224f560
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/eap_server/eap_server_pwd.c
View file

@ -311,7 +311,7 @@ fin:
static void eap_pwd_build_confirm_req(struct eap_sm *sm, static void eap_pwd_build_confirm_req(struct eap_sm *sm,
struct eap_pwd_data *data, u8 id) struct eap_pwd_data *data, u8 id)
{ {
struct crypto_hash *hash; struct crypto_hash *hash = NULL;
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
u16 grp; u16 grp;
size_t prime_len, order_len; size_t prime_len, order_len;
@ -392,6 +392,7 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm,
/* all done with the random function */ /* all done with the random function */
eap_pwd_h_final(hash, conf); eap_pwd_h_final(hash, conf);
hash = NULL;
os_memcpy(data->my_confirm, conf, SHA256_MAC_LEN); os_memcpy(data->my_confirm, conf, SHA256_MAC_LEN);
data->outbuf = wpabuf_alloc(SHA256_MAC_LEN); data->outbuf = wpabuf_alloc(SHA256_MAC_LEN);
@ -404,6 +405,7 @@ fin:
bin_clear_free(cruft, prime_len * 2); bin_clear_free(cruft, prime_len * 2);
if (data->outbuf == NULL) if (data->outbuf == NULL)
eap_pwd_state(data, FAILURE); eap_pwd_state(data, FAILURE);
eap_pwd_h_final(hash, NULL);
} }
@ -742,7 +744,7 @@ static void
eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
const u8 *payload, size_t payload_len) const u8 *payload, size_t payload_len)
{ {
struct crypto_hash *hash; struct crypto_hash *hash = NULL;
u32 cs; u32 cs;
u16 grp; u16 grp;
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
@ -817,6 +819,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
/* all done */ /* all done */
eap_pwd_h_final(hash, conf); eap_pwd_h_final(hash, conf);
hash = NULL;
ptr = (u8 *) payload; ptr = (u8 *) payload;
if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) { if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
@ -836,6 +839,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
fin: fin:
bin_clear_free(cruft, prime_len * 2); bin_clear_free(cruft, prime_len * 2);
eap_pwd_h_final(hash, NULL);
} }