[1/2] mka: fix use-after-free when receive secure channels are deleted

Message ID 460f344392e0297c64eb9a9e681a62cdc769a1cc.1489658059.git.davide.caratti@gmail.com
State Accepted
Headers show

Commit Message

Davide Caratti March 16, 2017, 1:01 p.m.
ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data,
but secy_delete_receive_sc() still needs it. Since these two functions
are always called sequentially, secy_delete_receive_sc() can be called
from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed.

Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
---
 src/pae/ieee802_1x_kay.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Jouni Malinen March 26, 2017, 10:04 p.m. | #1
Thanks, both applied.

Patch

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 3f9e53d..31905ed 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -532,6 +532,7 @@  ieee802_1x_kay_deinit_receive_sc(
 		ieee802_1x_delete_receive_sa(participant->kay, psa);
 
 	dl_list_del(&psc->list);
+	secy_delete_receive_sc(participant->kay, psc);
 	os_free(psc);
 }
 
@@ -2363,7 +2364,6 @@  static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
 				if (sci_equal(&rxsc->sci, &peer->sci)) {
 					ieee802_1x_kay_deinit_receive_sc(
 						participant, rxsc);
-					secy_delete_receive_sc(kay, rxsc);
 				}
 			}
 			dl_list_del(&peer->list);
@@ -3433,7 +3433,6 @@  ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
 		rxsc = dl_list_entry(participant->rxsc_list.next,
 				     struct receive_sc, list);
 		ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
-		secy_delete_receive_sc(kay, rxsc);
 	}
 	ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
 	secy_delete_transmit_sc(kay, participant->txsc);