| Message ID | 20170908014202.1465-1-aweits@rit.edu |
|---|---|
| State | Accepted |
| Headers | show |
| Series | PMKSA: fix use-after-free in pmksa_cache_clone_entry() | expand |
On Thu, Sep 07, 2017 at 09:42:02PM -0400, Andrew Elble wrote: > pmksa_cache_add_entry() may actually free old_entry if the pmksa cache > is full. This can result in the pmksa cache containing entries with > corrupt expiration times. Thanks, applied.
diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c index e1cfa146a3d1..a353404c22b4 100644 --- a/src/rsn_supp/pmksa_cache.c +++ b/src/rsn_supp/pmksa_cache.c @@ -367,6 +367,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, const u8 *aa) { struct rsn_pmksa_cache_entry *new_entry; + os_time_t old_expiration = old_entry->expiration; new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len, NULL, NULL, 0, @@ -378,7 +379,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, return NULL; /* TODO: reorder entries based on expiration time? */ - new_entry->expiration = old_entry->expiration; + new_entry->expiration = old_expiration; new_entry->opportunistic = 1; return new_entry;
pmksa_cache_add_entry() may actually free old_entry if the pmksa cache is full. This can result in the pmksa cache containing entries with corrupt expiration times. Signed-off-by: Andrew Elble <aweits@rit.edu> --- src/rsn_supp/pmksa_cache.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)