EAP-pwd server: Fix memory leak with salted passwords

The struct hostapd_eap_user changes with a new allocated variable were
not covered in the RADIUS server code. Fix this by using eap_user_free()
instead of custom memory freeing operation in radius_server.c.

The hwsim tests with salted password (ap_wpa2_eap_pwd_salt_sha1,
ap_wpa2_eap_pwd_salt_sha256, ap_wpa2_eap_pwd_salt_sha512) triggered
these memory leaks.

Fixes: d52ead3db7b2 ("EAP-pwd server: Add support for salted password databases")
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 45e1212cff44d50085aac4afc74b60efad8804cf..b130368b64da292f6245052a0a60091813c4ac8b 100644 (file)
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -161,5 +161,6 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
                                   const u8 *username, size_t username_len,
                                   const u8 *challenge, const u8 *response);
 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
+void eap_user_free(struct eap_user *user);
 
 #endif /* EAP_H */

diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index b33f6324e604824d6b5e66b7a87a2ff992941943..e8b36e13380db4db1fd059a829a63104691ac62a 100644 (file)
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -25,9 +25,6 @@
 
 #define EAP_MAX_AUTH_ROUNDS 50
 
-static void eap_user_free(struct eap_user *user);
-
-
 /* EAP state machines are described in RFC 4137 */
 
 static int eap_sm_calculateTimeout(struct eap_sm *sm, int retransCount,
@@ -1814,7 +1811,7 @@ int eap_server_sm_step(struct eap_sm *sm)
 }
 
 
-static void eap_user_free(struct eap_user *user)
+void eap_user_free(struct eap_user *user)
 {
        if (user == NULL)
                return;

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 1c15c2c3f907c1e68817d2b5a0e141c17e01857a..095144d8d6998bdca4da938c87c3ce45d1603710 100644 (file)
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -686,7 +686,7 @@ radius_server_get_new_session(struct radius_server_data *data,
        int res;
        struct radius_session *sess;
        struct eap_config eap_conf;
-       struct eap_user tmp;
+       struct eap_user *tmp;
 
        RADIUS_DEBUG("Creating a new session");
 
@@ -697,12 +697,14 @@ radius_server_get_new_session(struct radius_server_data *data,
        }
        RADIUS_DUMP_ASCII("User-Name", user, user_len);
 
-       os_memset(&tmp, 0, sizeof(tmp));
-       res = data->get_eap_user(data->conf_ctx, user, user_len, 0, &tmp);
-       bin_clear_free(tmp.password, tmp.password_len);
+       tmp = os_zalloc(sizeof(*tmp));
+       if (!tmp)
+               return NULL;
 
+       res = data->get_eap_user(data->conf_ctx, user, user_len, 0, tmp);
        if (res != 0) {
                RADIUS_DEBUG("User-Name not found from user database");
+               eap_user_free(tmp);
                return NULL;
        }
 
@@ -710,10 +712,12 @@ radius_server_get_new_session(struct radius_server_data *data,
        sess = radius_server_new_session(data, client);
        if (sess == NULL) {
                RADIUS_DEBUG("Failed to create a new session");
+               eap_user_free(tmp);
                return NULL;
        }
-       sess->accept_attr = tmp.accept_attr;
-       sess->macacl = tmp.macacl;
+       sess->accept_attr = tmp->accept_attr;
+       sess->macacl = tmp->macacl;
+       eap_user_free(tmp);
 
        sess->username = os_malloc(user_len * 4 + 1);
        if (sess->username == NULL) {