RADIUS server: Fix error paths in new session creation

radius_server_session_free() does not remove the session from the
session list and these radius_server_get_new_session() error paths ended
up leaving a pointer to freed memory into the session list. This
resulted in the following operations failing due to use of freed memory.

Fix this by using radius_server_session_remove() which removes the entry
from the list in addition to calling radius_server_session_free().

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index e8bef45fc255c4d2c4aa56f4e1b9aa6a646d189b..6cce2ff002d2b12f0a556fa72e153d208c79f183 100644 (file)
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -662,14 +662,14 @@ radius_server_get_new_session(struct radius_server_data *data,
 
        sess->username = os_malloc(user_len * 4 + 1);
        if (sess->username == NULL) {
-               radius_server_session_free(data, sess);
+               radius_server_session_remove(data, sess);
                return NULL;
        }
        printf_encode(sess->username, user_len * 4 + 1, user, user_len);
 
        sess->nas_ip = os_strdup(from_addr);
        if (sess->nas_ip == NULL) {
-               radius_server_session_free(data, sess);
+               radius_server_session_remove(data, sess);
                return NULL;
        }
 
@@ -702,7 +702,7 @@ radius_server_get_new_session(struct radius_server_data *data,
        if (sess->eap == NULL) {
                RADIUS_DEBUG("Failed to initialize EAP state machine for the "
                             "new session");
-               radius_server_session_free(data, sess);
+               radius_server_session_remove(data, sess);
                return NULL;
        }
        sess->eap_if = eap_get_interface(sess->eap);