Fix memory leaks and wrong memory access

1. In wpa_config_process_bgscan() fix memory leak after
   calling wpa_config_parse_string()
2. In hostapd_config_defaults(), on failure to allocate bss->radius,
   conf->bss was not freed.
3. In p2p_deauth_nofif(), memory allocated in p2p_parse_ies() was not
   freed in case of NULL minor_reason_code.
4. In p2p_disassoc_nofif(), memory allocated in p2p_parse_ies() was
   not freed in case of NULL minor_reason_code.
5. In p2p_process_go_neg_conf(), memory allocated was not freed in
   case that the P2P Device interface was not waiting for a
   GO Negotiation Confirm.
6. In wpa_set_pkcs11_engine_and_module_path(), the wrong pointer was
   checked.

Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 79ab4ba102a71b5dbec9fae2ad96b96d0657aeaf..368b2020e8e5c83a03651a3062052afe9a5cc3fd 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -140,6 +140,7 @@ struct hostapd_config * hostapd_config_defaults(void)
 
        bss->radius = os_zalloc(sizeof(*bss->radius));
        if (bss->radius == NULL) {
+               os_free(conf->bss);
                os_free(conf);
                os_free(bss);
                return NULL;

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index ca347e7b63105ce38e26ad95a86fc482e0524bd7..957dee5bd9a2a44909e9c702adf2d4ab320f42ef 100644 (file)
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -3862,8 +3862,10 @@ void p2p_deauth_notif(struct p2p_data *p2p, const u8 *bssid, u16 reason_code,
        os_memset(&msg, 0, sizeof(msg));
        if (p2p_parse_ies(ie, ie_len, &msg))
                return;
-       if (msg.minor_reason_code == NULL)
+       if (msg.minor_reason_code == NULL) {
+               p2p_parse_free(&msg);
                return;
+       }
 
        p2p_dbg(p2p, "Deauthentication notification BSSID " MACSTR
                " reason_code=%u minor_reason_code=%u",
@@ -3884,8 +3886,10 @@ void p2p_disassoc_notif(struct p2p_data *p2p, const u8 *bssid, u16 reason_code,
        os_memset(&msg, 0, sizeof(msg));
        if (p2p_parse_ies(ie, ie_len, &msg))
                return;
-       if (msg.minor_reason_code == NULL)
+       if (msg.minor_reason_code == NULL) {
+               p2p_parse_free(&msg);
                return;
+       }
 
        p2p_dbg(p2p, "Disassociation notification BSSID " MACSTR
                " reason_code=%u minor_reason_code=%u",

diff --git a/src/p2p/p2p_go_neg.c b/src/p2p/p2p_go_neg.c
index 76436f5d0a1b48e400061e7828228b0533f7bcb9..e28f93ea2b9675e856c4eb764c5917c199b3e568 100644 (file)
--- a/src/p2p/p2p_go_neg.c
+++ b/src/p2p/p2p_go_neg.c
@@ -1136,6 +1136,7 @@ void p2p_process_go_neg_conf(struct p2p_data *p2p, const u8 *sa,
 
        if (!(dev->flags & P2P_DEV_WAIT_GO_NEG_CONFIRM)) {
                p2p_dbg(p2p, "Was not expecting GO Negotiation Confirm - ignore");
+               p2p_parse_free(&msg);
                return;
        }
        dev->flags &= ~P2P_DEV_WAIT_GO_NEG_CONFIRM;

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b43a72a68921b29adb3e5acb4f9b5265d999d501..2dd705459dcb496fc0bf8de62a7b8d1ac9650fd8 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2912,6 +2912,7 @@ static int wpa_config_process_bgscan(const struct global_parse_data *data,
 {
        size_t len;
        char *tmp;
+       int res;
 
        tmp = wpa_config_parse_string(pos, &len);
        if (tmp == NULL) {
@@ -2920,7 +2921,9 @@ static int wpa_config_process_bgscan(const struct global_parse_data *data,
                return -1;
        }
 
-       return wpa_global_config_parse_str(data, config, line, tmp);
+       res = wpa_global_config_parse_str(data, config, line, tmp);
+       os_free(tmp);
+       return res;
 }
 
 

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 35f56936ef869112a3f1912e5cd0cb6e428cf508..455b15828bd9f39ef95dfb91b4da7399a18e4b6e 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2083,7 +2083,7 @@ int wpas_set_pkcs11_engine_and_module_path(struct wpa_supplicant *wpa_s,
        }
        if (pkcs11_module_path != NULL) {
                pkcs11_module_path_copy = os_strdup(pkcs11_module_path);
-               if (pkcs11_engine_path_copy == NULL) {
+               if (pkcs11_module_path_copy == NULL) {
                        os_free(pkcs11_engine_path_copy);
                        return -1;
                }