It looks like it is possible for the RECEIVE state to leak memory where
a previously allocated sm->lki is moved to sm->oki while sm->oki is
pointing to not yet freed entry. It is not clear how this can be
triggered, but it has come up in hwsim testing under heavy load.
Free sm->oki if it is still set in RECEIVE before replacing it with
sm->lki to avoid this memory leak.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SM_ENTRY(CP, RECEIVE);
/* RECEIVE state machine not keep with Figure 12-2 in
* IEEE Std 802.1X-2010 */
+ if (sm->oki) {
+ ieee802_1x_kay_delete_sas(sm->kay, sm->oki);
+ os_free(sm->oki);
+ }
sm->oki = sm->lki;
sm->oan = sm->lan;
sm->otx = sm->ltx;