mka: Avoid memory leak in unexpected case in RECEIVE

It looks like it is possible for the RECEIVE state to leak memory where
a previously allocated sm->lki is moved to sm->oki while sm->oki is
pointing to not yet freed entry. It is not clear how this can be
triggered, but it has come up in hwsim testing under heavy load.

Free sm->oki if it is still set in RECEIVE before replacing it with
sm->lki to avoid this memory leak.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c
index 8cdce30e80fb942511ac72d7e1711664a9d321ca..1c4dc3e63c9ff8a52e9ea8f153fd78c7aec0a3ba 100644 (file)
--- a/src/pae/ieee802_1x_cp.c
+++ b/src/pae/ieee802_1x_cp.c
@@ -214,6 +214,10 @@ SM_STATE(CP, RECEIVE)
        SM_ENTRY(CP, RECEIVE);
        /* RECEIVE state machine not keep with Figure 12-2 in
         * IEEE Std 802.1X-2010 */
+       if (sm->oki) {
+               ieee802_1x_kay_delete_sas(sm->kay, sm->oki);
+               os_free(sm->oki);
+       }
        sm->oki = sm->lki;
        sm->oan = sm->lan;
        sm->otx = sm->ltx;