mka: Fix deleteSAs clearing of principal->new_key

This pointer needs to be cleared when the matching SAK is being removed
from the SAK list. The previous implementation was doing something
pretty strange in the loop by clearing the pointer for any non-matching
key that happened to be iterated through before finding the matching
key. This could probably result in incorrect behavior, but not clearing
the pointer for the matching key could do more harm by causing freed
memory to be referenced.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 7d6d07c0b24d13d860193ee4d046ee9713ded7b3..6c07b2c613bb469459548612f99b710ff69f0290 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1536,6 +1536,11 @@ ieee802_1x_mka_encode_dist_sak_body(
        }
 
        sak = participant->new_key;
+       if (!sak) {
+               wpa_printf(MSG_DEBUG,
+                          "KaY: No SAK available to build Distributed SAK parameter set");
+               return -1;
+       }
        body->confid_offset = sak->confidentiality_offset;
        body->dan = sak->an;
        body->kn = host_to_be32(sak->key_identifier.kn);
@@ -2847,12 +2852,12 @@ int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
        dl_list_for_each_safe(sa_key, pre_key, &principal->sak_list,
                              struct data_key, list) {
                if (is_ki_equal(&sa_key->key_identifier, ki)) {
+                       if (principal->new_key == sa_key)
+                               principal->new_key = NULL;
                        dl_list_del(&sa_key->list);
                        ieee802_1x_kay_deinit_data_key(sa_key);
                        break;
                }
-               if (principal->new_key == sa_key)
-                       principal->new_key = NULL;
        }
 
        return 0;