]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
PMKSA: Fix use-after-free in pmksa_cache_clone_entry()
authorAndrew Elble <aweits@rit.edu>
Fri, 8 Sep 2017 01:42:02 +0000 (21:42 -0400)
committerJouni Malinen <j@w1.fi>
Sat, 9 Sep 2017 22:39:37 +0000 (01:39 +0300)
pmksa_cache_add_entry() may actually free old_entry if the PMKSA cache
is full. This can result in the PMKSA cache containing entries with
corrupt expiration times.

Signed-off-by: Andrew Elble <aweits@rit.edu>
src/rsn_supp/pmksa_cache.c

index e1cfa146a3d1864cb7959ed22dc9e3d485c0f2d6..a353404c22b4a58fcb14ead88ac9282c4272da7e 100644 (file)
@@ -367,6 +367,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
                        const u8 *aa)
 {
        struct rsn_pmksa_cache_entry *new_entry;
+       os_time_t old_expiration = old_entry->expiration;
 
        new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
                                    NULL, NULL, 0,
@@ -378,7 +379,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
                return NULL;
 
        /* TODO: reorder entries based on expiration time? */
-       new_entry->expiration = old_entry->expiration;
+       new_entry->expiration = old_expiration;
        new_entry->opportunistic = 1;
 
        return new_entry;