EAP-pwd: Fix memory leak on error path with fragmentation

If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index fef478370c1117031350f7eb45792651f2e2e9f0..9eb058e9f88574b5bcab26fc6c37b9eb889dd918 100644 (file)
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -161,6 +161,8 @@ static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
                BN_free(data->grp->prime);
                os_free(data->grp);
        }
+       wpabuf_free(data->inbuf);
+       wpabuf_free(data->outbuf);
        os_free(data);
 }
 
@@ -773,6 +775,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
                                   (int) data->in_frag_pos,
                                   (int) wpabuf_len(data->inbuf));
                        wpabuf_free(data->inbuf);
+                       data->inbuf = NULL;
                        data->in_frag_pos = 0;
                        return NULL;
                }
@@ -824,6 +827,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
         */
        if (data->in_frag_pos) {
                wpabuf_free(data->inbuf);
+               data->inbuf = NULL;
                data->in_frag_pos = 0;
        }
 

diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index b61061bce702d5af98b2571d11459b0e12ff86a2..3467dd160ad8173762fc0ed23cb31374538d928f 100644 (file)
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -150,6 +150,8 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
                BN_free(data->grp->prime);
                os_free(data->grp);
        }
+       wpabuf_free(data->inbuf);
+       wpabuf_free(data->outbuf);
        os_free(data);
 }
 
@@ -523,6 +525,7 @@ eap_pwd_build_req(struct eap_sm *sm, void *priv, u8 id)
         */
        if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {
                wpabuf_free(data->outbuf);
+               data->outbuf = NULL;
                data->out_frag_pos = 0;
        }
 
@@ -949,6 +952,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
         */
        if (data->in_frag_pos) {
                wpabuf_free(data->inbuf);
+               data->inbuf = NULL;
                data->in_frag_pos = 0;
        }
 }