EAP-pwd peer: Fix memory leak in eap_pwd_perform_confirm_exchange()

Message ID 20180821113757epcas5p31daaead102d4d9cf9b0423e39272c087~M40lRJ4rA3204732047epcas5p39@epcas5p3.samsung.com
State Accepted
Headers show
Series
  • EAP-pwd peer: Fix memory leak in eap_pwd_perform_confirm_exchange()
Related show

Commit Message

Nishant Chaprana Aug. 21, 2018, 11:37 a.m.
Description: hash variable is allocated memory using eap_pwd_h_init().
But there are code path which skips deallocation of hash after usage.
The memory of hash is deallocated using eap_pwd_h_final().

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
---
 src/eap_peer/eap_pwd.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Jouni Malinen Oct. 16, 2018, 3:37 p.m. | #1
On Tue, Aug 21, 2018 at 05:07:51PM +0530, Nishant Chaprana wrote:
> Description: hash variable is allocated memory using eap_pwd_h_init().
> But there are code path which skips deallocation of hash after usage.
> The memory of hash is deallocated using eap_pwd_h_final().

Thanks, applied.

Patch

diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 90ac3cf..761c16a 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -696,7 +696,7 @@  eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 				 const struct wpabuf *reqData,
 				 const u8 *payload, size_t payload_len)
 {
-	struct crypto_hash *hash;
+	struct crypto_hash *hash = NULL;
 	u32 cs;
 	u16 grp;
 	u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
@@ -783,6 +783,7 @@  eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 
 	/* random function fin */
 	eap_pwd_h_final(hash, conf);
+	hash = NULL;
 
 	ptr = (u8 *) payload;
 	if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
@@ -836,6 +837,7 @@  eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 
 	/* all done */
 	eap_pwd_h_final(hash, conf);
+	hash = NULL;
 
 	if (compute_keys(data->grp, data->k,
 			 data->my_scalar, data->server_scalar, conf, ptr,
@@ -860,6 +862,10 @@  fin:
 	} else {
 		eap_pwd_state(data, SUCCESS_ON_FRAG_COMPLETION);
 	}
+
+	/* clean allocated memory */
+	if (hash)
+		eap_pwd_h_final(hash, conf);
 }