From cd5895e8c5aac5620135085af606e698debdbf2a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 20 Dec 2015 10:52:30 +0200 Subject: [PATCH] WPA: Explicitly clear the buffer used for decrypting Key Data When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was decrypted using a temporary heap buffer with aes_unwrap(). That buffer was not explicitly cleared, so it was possible for the group keys to remain in memory unnecessarily until the allocated area was reused. Clean this up by clearing the temporary allocation explicitly before freeing it. Signed-off-by: Jouni Malinen --- src/rsn_supp/wpa.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 9bde3c816..669f658cf 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -1670,14 +1670,14 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, } if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8, key_data, buf)) { - os_free(buf); + bin_clear_free(buf, *key_data_len); wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: AES unwrap failed - " "could not decrypt EAPOL-Key key data"); return -1; } os_memcpy(key_data, buf, *key_data_len); - os_free(buf); + bin_clear_free(buf, *key_data_len); WPA_PUT_BE16(key->key_data_length, *key_data_len); } else { wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,