EAP-pwd: Fix processing of group setup failure

If invalid group was negotiated, compute_password_element() left some of
the data->grp pointer uninitialized and this could result in
segmentation fault when deinitializing the EAP method. Fix this by
explicitly clearing all the pointer with eap_zalloc(). In addition,
speed up EAP failure reporting in this type of error case by indicating
that the EAP method execution cannot continue anymore on the peer side
instead of waiting for a timeout.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index ac1b6eb17f4004440940f6e5ec17b77989eefc74..2aa7ba55017868597b9f717010a64e79dee8f196 100644 (file)
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -252,8 +252,8 @@ eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
        wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
                          data->id_server, data->id_server_len);
 
-       if ((data->grp = (EAP_PWD_group *) os_malloc(sizeof(EAP_PWD_group))) ==
-           NULL) {
+       data->grp = os_zalloc(sizeof(EAP_PWD_group));
+       if (data->grp == NULL) {
                wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
                           "group");
                eap_pwd_state(data, FAILURE);
@@ -858,8 +858,11 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
                data->in_frag_pos = 0;
        }
 
-       if (data->outbuf == NULL)
+       if (data->outbuf == NULL) {
+               ret->methodState = METHOD_DONE;
+               ret->decision = DECISION_FAIL;
                return NULL;        /* generic failure */
+       }
 
        /*
         * we have output! Do we need to fragment it?

diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index b0d03d2de6d928c699d889dfa94121d15a38e10f..5d67c8213029b9c9d6429941c3cf2e58165cc7b1 100644 (file)
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -599,7 +599,8 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
        wpa_hexdump_ascii(MSG_DEBUG, "EAP-PWD (server): peer sent id of",
                          data->id_peer, data->id_peer_len);
 
-       if ((data->grp = os_malloc(sizeof(EAP_PWD_group))) == NULL) {
+       data->grp = os_zalloc(sizeof(EAP_PWD_group));
+       if (data->grp == NULL) {
                wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
                           "group");
                return;