[PATCH 1/5] wpa_supplicant: fix possible memory leak in handle_auth()

[Peer, Ilan]

Hi Jouni,

> -----Original Message-----
> From: Jouni Malinen [mailto:j at w1.fi]
> Sent: Friday, June 19, 2015 01:26
> To: Peer, Ilan
> Cc: hostap at lists.shmoo.com; Eytan Lifshitz
> Subject: Re: [PATCH 1/5] wpa_supplicant: fix possible memory leak in
> handle_auth()
> 
> On Wed, Jun 17, 2015 at 04:16:32PM +0300, Ilan Peer wrote:
> > In handle_auth(), in case of waiting to external authentication, the
> > function returns without freeing allocated memory.
> 
> > diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c @@ -975,6
> > +975,9 @@ static void handle_auth(struct hostapd_data *hapd,
> >  		/* Authentication code will re-send the authentication frame
> >  		 * after it has received (and cached) information from the
> >  		 * external source. */
> > +		os_free(identity);
> > +		os_free(radius_cui);
> > +		hostapd_free_psk_list(psk);
> >  		return;
> 
> Changed my mind on this one after going through the other patches..
> Since I cannot figure out how this could happen (HOSTAPD_ACL_PENDING
> indicates Access-Accept has not yet been received and as such, these copies
> of the attributes from that message cannot exists). Adding these freeing
> operations here would make this quite confusing. As such, I'm going to drop
> this unless someone can describe how these could be non-NULL.
> 

This is the tool's traceback:

ieee802_11.c:962: Dynamic memory stored in 'identity' is allocated by calling function 'hostapd_allowed_address'.
ieee802_11_auth.c#1:271: '*identity' is allocated by function 'hostapd_acl_cache_get'.
ieee802_11_auth.c#1:128: entry->identity is true
ieee802_11_auth.c#1:129: '*identity' is allocated by function 'strdup'.
ieee802_11.c:980: Dynamic memory stored in 'identity' is lost.

I'm not familiar with this functionality, and the report seemed reasonable to me. If this is not a real issue as you described, I can mask as not a real issue. 

Thanks,

Ilan.