[PATCH 5/5] WPS: Fix possible memory leak in wps_er_config_token_from_cred()
Jouni Malinen
j
Mon Jun 29 10:41:44 PDT 2015
On Sun, Jun 21, 2015 at 01:56:45PM +0000, Peer, Ilan wrote:
> > > In wps_er_config_token_from_cred() data.new_pak memory is allocated in
> > > wps_build_cred() and the function returns before the memroy is released.
> >
> > > diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c @@ -2039,10 +2039,12
> > > @@ struct wpabuf * wps_er_config_token_from_cred(struct wps_context
> > *wps,
> > > data.use_cred = cred;
> > > if (wps_build_cred(&data, ret) ||
> > > wps_build_wfa_ext(ret, 0, NULL, 0)) {
> > > + os_free(data.new_psk);
> This is the traceback from the tool:
>
> wps_er.c:2040: Dynamic memory stored in 'data.new_psk' is allocated by calling function 'wps_build_cred'.
wps_er.c:2039 sets data.user_cred to a non-NULL value (neither of the
two callers of wps_er_config_token_from_cred() can use NULL as the cred
argument).
> wps_registrar.c:1686: wps->auth_type& (2|32) is true
this is within wps_build_cred() after these steps:
if (wps->use_cred) {
os_memcpy(&wps->cred, wps->use_cred, sizeof(wps->cred));
goto use_provided;
}
and before the use_provided label. There is no label in the middle
either, so no way to get back to line 1686. In other words, this code
path is not possible.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list