[PATCH] TNC: Stray pointer

[Masashi Honma]

Hello.

On "eap_tnc_process" function error case, data->in_buf keeps reference to
a local scope variable. For example this will cause segmentation fault in
"eap_tnc_deinit" function "wpabuf_free(data->in_buf)" statement.

This patch will solve it.

diff --git a/src/eap_peer/eap_tnc.c b/src/eap_peer/eap_tnc.c
index 0a3a01c..c560015 100644
--- a/src/eap_peer/eap_tnc.c
+++ b/src/eap_peer/eap_tnc.c
@@ -295,7 +295,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
 			wpa_printf(MSG_DEBUG, "EAP-TNC: Server did not use "
 				   "start flag in the first message");
 			ret->ignore = TRUE;
-			return NULL;
+			goto fail;
 		}
 
 		tncc_init_connection(data->tncc);
@@ -308,7 +308,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
 			wpa_printf(MSG_DEBUG, "EAP-TNC: Server used start "
 				   "flag again");
 			ret->ignore = TRUE;
-			return NULL;
+			goto fail;
 		}
 
 		res = tncc_process_if_tnccs(data->tncc,
@@ -317,7 +317,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
 		switch (res) {
 		case TNCCS_PROCESS_ERROR:
 			ret->ignore = TRUE;
-			return NULL;
+			goto fail;
 		case TNCCS_PROCESS_OK_NO_RECOMMENDATION:
 		case TNCCS_RECOMMENDATION_ERROR:
 			wpa_printf(MSG_DEBUG, "EAP-TNC: No "
@@ -404,6 +404,11 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
 	data->out_buf = resp;
 	data->state = PROC_MSG;
 	return eap_tnc_build_msg(data, ret, id);
+
+fail:
+	if (data->in_buf == &tmpbuf)
+		data->in_buf = NULL;
+	return NULL;
 }
 
 

Regards,
Masashi Honma.