[PATCH 1/3] WPS: fix leak of dh_ctx in error cases

[Benjamin Berg]

From: Benjamin Berg <benjamin.berg at intel.com>

Usually the dh_ctx is passed into the wps state and is free'ed in that
case. However, under some circumstances this may not happen and then a
leak can occur.

Signed-off-by: Benjamin Berg <benjamin.berg at intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
 src/ap/wps_hostapd.c            | 2 ++
 wpa_supplicant/wps_supplicant.c | 1 +
 2 files changed, 3 insertions(+)

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 82d4d5fdd5..ceaf9a4538 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -20,6 +20,7 @@
 #include "wps/wps_defs.h"
 #include "wps/wps_dev_attr.h"
 #include "wps/wps_attr_parse.h"
+#include "crypto/dh_group5.h"
 #include "hostapd.h"
 #include "ap_config.h"
 #include "ap_drv_ops.h"
@@ -1071,6 +1072,7 @@ static void hostapd_free_wps(struct wps_context *wps)
 	wps_device_data_free(&wps->dev);
 	bin_clear_free(wps->network_key, wps->network_key_len);
 	hostapd_wps_nfc_clear(wps);
+	dh5_free(wps->dh_ctx);
 	wpabuf_free(wps->dh_pubkey);
 	wpabuf_free(wps->dh_privkey);
 	forced_memzero(wps->psk, sizeof(wps->psk));
diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index d332f000c3..405c5d6051 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1709,6 +1709,7 @@ void wpas_wps_deinit(struct wpa_supplicant *wpa_s)
 #endif /* CONFIG_WPS_ER */
 
 	wps_registrar_deinit(wpa_s->wps->registrar);
+	dh5_free(wpa_s->wps->dh_ctx);
 	wpabuf_free(wpa_s->wps->dh_pubkey);
 	wpabuf_free(wpa_s->wps->dh_privkey);
 	wpabuf_free(wpa_s->wps->dev.vendor_ext_m1);
-- 
2.49.0