[PATCH 5/5] WPS: Fix possible memory leak in wps_er_config_token_from_cred()

Jouni Malinen j
Thu Jun 18 15:22:27 PDT 2015


On Wed, Jun 17, 2015 at 04:16:36PM +0300, Ilan Peer wrote:
> In wps_er_config_token_from_cred() data.new_pak memory is allocated in
> wps_build_cred() and the function returns before the memroy is released.

> diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
> @@ -2039,10 +2039,12 @@ struct wpabuf * wps_er_config_token_from_cred(struct wps_context *wps,
>  	data.use_cred = cred;
>  	if (wps_build_cred(&data, ret) ||
>  	    wps_build_wfa_ext(ret, 0, NULL, 0)) {
> +		os_free(data.new_psk);
>  		wpabuf_free(ret);
>  		return NULL;
>  	}
>  
> +	os_free(data.new_psk);

Could you please clarify how data.new_psk could be allocated on this
code path? data.use_cred is used to skip new credential allocation in
wps_build_cred(), i.e., all the cases that could allocate new_psk are
skipped with "goto use_provided".

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list