WPS: Fix leak of dh_ctx in error cases

Usually the dh_ctx is passed into the WPS state and is freed in that
case. However, under some circumstances this may not happen and then a
leak can occur.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 82d4d5fdd599f171e5d2790c33fac61ad45c5d62..ceaf9a453832211e1a9529553fa69e99610f514f 100644 (file)
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -20,6 +20,7 @@
 #include "wps/wps_defs.h"
 #include "wps/wps_dev_attr.h"
 #include "wps/wps_attr_parse.h"
+#include "crypto/dh_group5.h"
 #include "hostapd.h"
 #include "ap_config.h"
 #include "ap_drv_ops.h"
@@ -1071,6 +1072,7 @@ static void hostapd_free_wps(struct wps_context *wps)
        wps_device_data_free(&wps->dev);
        bin_clear_free(wps->network_key, wps->network_key_len);
        hostapd_wps_nfc_clear(wps);
+       dh5_free(wps->dh_ctx);
        wpabuf_free(wps->dh_pubkey);
        wpabuf_free(wps->dh_privkey);
        forced_memzero(wps->psk, sizeof(wps->psk));

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index d332f000c32b4e141da2a7abeef9dc23f30f7a83..405c5d6051ab9cad7b50b15cd6f06c4e924cb18e 100644 (file)
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1709,6 +1709,7 @@ void wpas_wps_deinit(struct wpa_supplicant *wpa_s)
 #endif /* CONFIG_WPS_ER */
 
        wps_registrar_deinit(wpa_s->wps->registrar);
+       dh5_free(wpa_s->wps->dh_ctx);
        wpabuf_free(wpa_s->wps->dh_pubkey);
        wpabuf_free(wpa_s->wps->dh_privkey);
        wpabuf_free(wpa_s->wps->dev.vendor_ext_m1);