From f81e65510c8f74e2f22f37c66bd9f12d620ca13c Mon Sep 17 00:00:00 2001
From: Yu Ouyang <yuo@codeaurora.org>
Date: Mon, 3 Dec 2018 14:18:53 +0800
Subject: [PATCH] WPS NFC: Fix potential NULL pointer dereference on an error
 path

The NFC connection handover specific case of WPS public key generation
did not verify whether the two wpabuf_dup() calls succeed. Those may
return NULL due to an allocation failure and that would result in a NULL
pointer dereference in dh5_init_fixed().

Fix this by checking memory allocation results explicitly. If either of
the allocations fail, do not try to initialize wps->dh_ctx and instead,
report the failure through the existing error case handler below.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org
---
 src/wps/wps_attr_build.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/wps/wps_attr_build.c b/src/wps/wps_attr_build.c
index 770f5e90c..7dfa95b79 100644
--- a/src/wps/wps_attr_build.c
+++ b/src/wps/wps_attr_build.c
@@ -60,7 +60,8 @@ int wps_build_public_key(struct wps_data *wps, struct wpabuf *msg)
 		}
 		wps->dh_privkey = wpabuf_dup(wps->wps->ap_nfc_dh_privkey);
 		pubkey = wpabuf_dup(wps->wps->ap_nfc_dh_pubkey);
-		wps->dh_ctx = dh5_init_fixed(wps->dh_privkey, pubkey);
+		if (wps->dh_privkey && pubkey)
+			wps->dh_ctx = dh5_init_fixed(wps->dh_privkey, pubkey);
 #endif /* CONFIG_WPS_NFC */
 	} else {
 		wpa_printf(MSG_DEBUG, "WPS: Generate new DH keys");