DPP2: Fix error path handling in enterprise provisioning

The allocated memory pointed by the pem pointer was freed on an error
path without clearing the pointer to NULL before returning it from the
function. This could have resulted in use of freed memory in an error
case. Fix this by clearing the pointer so that the function returns NULL
properly in the case of this error.

Fixes: ace3723d9879 ("DPP2: Enterprise provisioning (Enrollee)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
index 37c2b692bf59b2ea6c20d6208f7edc172ae1c718..c75fc78711a82c7eaac9148ee316ef8f4a8df605 100644 (file)
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -2868,6 +2868,7 @@ struct wpabuf * dpp_pkcs7_certs(const struct wpabuf *pkcs7)
        res = BIO_read(out, wpabuf_put(pem, 0), rlen);
        if (res <= 0) {
                wpabuf_free(pem);
+               pem = NULL;
                goto fail;
        }
        wpabuf_put(pem, res);