[PATCH 1/5] wpa_supplicant: fix possible memory leak in handle_auth()
Jouni Malinen
j
Mon Jun 29 10:34:51 PDT 2015
On Sun, Jun 21, 2015 at 01:09:39PM +0000, Peer, Ilan wrote:
> This is the tool's traceback:
>
> ieee802_11.c:962: Dynamic memory stored in 'identity' is allocated by calling function 'hostapd_allowed_address'.
> ieee802_11_auth.c#1:271: '*identity' is allocated by function 'hostapd_acl_cache_get'.
> ieee802_11_auth.c#1:128: entry->identity is true
> ieee802_11_auth.c#1:129: '*identity' is allocated by function 'strdup'.
This code path returns entry->accepted on line 139. The only values
assigned to entry->accepted are HOSTAPD_ACL_ACCEPT_TIMEOUT,
HOSTAPD_ACL_ACCEPT, and HOSTAPD_ACL_REJECT.
> ieee802_11.c:980: Dynamic memory stored in 'identity' is lost.
This is within "if (res == HOSTAPD_ACL_PENDING)" and since
entry->accepted in ieee802_11_auth.c:139 cannot have that value, this
code path does not look possible (nor does this look reasonable as far
as generic functionality is concerned since HOSTAPD_ACL_PENDING
indicates that the Access-Accept with the 'identity' value has not yet
been received).
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list