TDLS: Replace os_memset() of all peer data with safer approach

Blindly clearing all struct wpa_tdls_peer members is a risky
operation since it could easily clear pointers to allocated
memory, etc. information that really should not be removed.
Instead of hoping that new code gets added here to restore
the important variables, reverse the approach and only clear
structure members one by one when needed.
This commit is contained in:
Jouni Malinen 2011-01-27 14:06:17 +02:00 committed by Jouni Malinen
parent c61f3e5544
commit f0bfbe2a6c

View file

@ -248,26 +248,6 @@ static int wpa_tdls_tpk_send(struct wpa_sm *sm, const u8 *dest, u8 action_code,
} }
static void tdls_clear_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
{
u8 mac[ETH_ALEN];
struct wpa_tdls_peer *tmp;
os_memcpy(mac, peer->addr, ETH_ALEN);
tmp = peer->next;
peer->initiator = 0;
eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
os_free(peer->sm_tmr.buf);
/* reset all */
os_memset(peer, 0, sizeof(*peer));
/* restore things */
os_memcpy(peer->addr, mac, ETH_ALEN);
peer->next = tmp;
}
static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx) static void wpa_tdls_tpk_retry_timeout(void *eloop_ctx, void *timeout_ctx)
{ {
@ -598,11 +578,19 @@ static void wpa_tdls_tpk_timeout(void *eloop_ctx, void *timeout_ctx)
static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer) static void wpa_tdls_peer_free(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
{ {
wpa_printf(MSG_DEBUG, "TDLS: Clear state for peer " MACSTR,
MAC2STR(peer->addr));
eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer); eloop_cancel_timeout(wpa_tdls_tpk_timeout, sm, peer);
eloop_cancel_timeout(wpa_tdls_tpk_retry_timeout, sm, peer);
/* need to clear Peerkey SM */ peer->initiator = 0;
tdls_clear_peer(sm, peer); os_free(peer->sm_tmr.buf);
//os_free(peer); peer->sm_tmr.buf = NULL;
peer->rsnie_i_len = peer->rsnie_p_len = 0;
peer->cipher = 0;
peer->tpk_set = peer->tpk_success = 0;
os_memset(&peer->tpk, 0, sizeof(peer->tpk));
os_memset(peer->inonce, 0, WPA_NONCE_LEN);
os_memset(peer->rnonce, 0, WPA_NONCE_LEN);
} }