[PATCH] PMKSA: fix use-after-free in pmksa_cache_clone_entry()
Andrew Elble
aweits at rit.edu
Thu Sep 7 18:42:02 PDT 2017
pmksa_cache_add_entry() may actually free old_entry if the pmksa cache
is full. This can result in the pmksa cache containing entries with
corrupt expiration times.
Signed-off-by: Andrew Elble <aweits at rit.edu>
---
src/rsn_supp/pmksa_cache.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c
index e1cfa146a3d1..a353404c22b4 100644
--- a/src/rsn_supp/pmksa_cache.c
+++ b/src/rsn_supp/pmksa_cache.c
@@ -367,6 +367,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
const u8 *aa)
{
struct rsn_pmksa_cache_entry *new_entry;
+ os_time_t old_expiration = old_entry->expiration;
new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
NULL, NULL, 0,
@@ -378,7 +379,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
return NULL;
/* TODO: reorder entries based on expiration time? */
- new_entry->expiration = old_entry->expiration;
+ new_entry->expiration = old_expiration;
new_entry->opportunistic = 1;
return new_entry;
--
2.10.1
More information about the Hostap
mailing list