jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

mka: Fix use-after-free when transmit secure channels are deleted

Browse source 
ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
data, but secy_delete_transmit_sc() still needs it. Since this functions
are called sequentially, secy_delete_transmit_sc() can be called from
ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.

Fixes: 128f6a98b3 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
This commit is contained in:
Davide Caratti 2017-03-16 14:01:55 +01:00 committed by Jouni Malinen
parent 529d6ed726
commit e50df5d2a2
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/pae/ieee802_1x_kay.c
View file

@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc(
dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
ieee802_1x_delete_transmit_sa(participant->kay, psa);
secy_delete_transmit_sc(participant->kay, psc);
os_free(psc);
}
@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
}
ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
secy_delete_transmit_sc(kay, participant->txsc);
os_memset(&participant->cak, 0, sizeof(participant->cak));
os_memset(&participant->kek, 0, sizeof(participant->kek));