[PATCH 5/5] WPS: Fix possible memory leak in wps_er_config_token_from_cred()
Jouni Malinen
j
Thu Jun 18 15:22:27 PDT 2015
On Wed, Jun 17, 2015 at 04:16:36PM +0300, Ilan Peer wrote:
> In wps_er_config_token_from_cred() data.new_pak memory is allocated in
> wps_build_cred() and the function returns before the memroy is released.
> diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
> @@ -2039,10 +2039,12 @@ struct wpabuf * wps_er_config_token_from_cred(struct wps_context *wps,
> data.use_cred = cred;
> if (wps_build_cred(&data, ret) ||
> wps_build_wfa_ext(ret, 0, NULL, 0)) {
> + os_free(data.new_psk);
> wpabuf_free(ret);
> return NULL;
> }
>
> + os_free(data.new_psk);
Could you please clarify how data.new_psk could be allocated on this
code path? data.use_cred is used to skip new credential allocation in
wps_build_cred(), i.e., all the cases that could allocate new_psk are
skipped with "goto use_provided".
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list