[PATCH 1/2] eap_sim_db.c: implements eap_sim_db_expire_pending

[Jouni Malinen]

On Mon, Sep 21, 2015 at 11:30:14AM +0200, Frederic Leroy wrote:
> For eap-aka, expires pending db request after 1 second.
> If there is no answer from hlr_auc_gw on the unix socket, the eap state
> for the user remains in "pending" state.
> Next authentication try will fail.
> This patch sets a timeout for hlr_auc_gw queries in order to release the
> session pending state.

> diff --git a/src/eap_server/eap_sim_db.c b/src/eap_server/eap_sim_db.c
> @@ -832,12 +832,34 @@ static int eap_sim_db_send(struct eap_sim_db_data *data, const char *msg,
> +void eap_sim_db_del_pending(struct eap_sim_db_data *data, struct eap_sim_db_pending *entry) {
> +	struct eap_sim_db_pending **pp = &data->pending;
> +	if ( entry == NULL )
> +		return;

How could entry be NULL here?

> -static void eap_sim_db_expire_pending(struct eap_sim_db_data *data)
> +static void eap_sim_db_expire_pending(struct eap_sim_db_data *data, struct eap_sim_db_pending *entry)
>  {
>  	/* TODO: add limit for maximum length for pending list; remove latest
>  	 * (i.e., last) entry from the list if the limit is reached; could also
>  	 * use timeout to expire pending entries */
> +	eloop_register_timeout(EAP_SIM_DB_QUERY_TIMEOUT_SEC, EAP_SIM_DB_QUERY_TIMEOUT_USEC, eap_sim_db_query_timeout, entry, data);
>  }

This timeout is not canceled anywhere. This could result in the timeout
being left behind when eap_sim_db_deinit() is called within
EAP_SIM_DB_QUERY_TIMEOUT_SEC of the last time this was scheduled. That
would result in using freed memory and likely segfault.
eap_sim_db_deinit() loop than frees the pending items should most likely
cancel these timeouts to avoid that.

-- 
Jouni Malinen                                            PGP id EFC895FA