Fix memory leak on NFC DH generation error path

It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/dh_group5.c b/src/crypto/dh_group5.c
index ccdbfc812958345f750e2a5135c293a1de4095af..425c848acb832b220f3b559433ca86933dcf38f0 100644 (file)
--- a/src/crypto/dh_group5.c
+++ b/src/crypto/dh_group5.c
@@ -15,6 +15,7 @@
 
 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
 {
+       wpabuf_free(*publ);
        *publ = dh_init(dh_groups_get(5), priv);
        if (*publ == NULL)
                return NULL;

diff --git a/src/crypto/dh_groups.c b/src/crypto/dh_groups.c
index 3aeb2bbc60af3f5b405f861c55e0076b00a00404..7912361ff8c6faeabb9a239e5a3893fc4593eeef 100644 (file)
--- a/src/crypto/dh_groups.c
+++ b/src/crypto/dh_groups.c
@@ -1218,14 +1218,19 @@ struct wpabuf * dh_init(const struct dh_group *dh, struct wpabuf **priv)
 
        pv_len = dh->prime_len;
        pv = wpabuf_alloc(pv_len);
-       if (pv == NULL)
+       if (pv == NULL) {
+               wpabuf_clear_free(*priv);
+               *priv = NULL;
                return NULL;
+       }
        if (crypto_mod_exp(dh->generator, dh->generator_len,
                           wpabuf_head(*priv), wpabuf_len(*priv),
                           dh->prime, dh->prime_len, wpabuf_mhead(pv),
                           &pv_len) < 0) {
                wpabuf_clear_free(pv);
                wpa_printf(MSG_INFO, "DH: crypto_mod_exp failed");
+               wpabuf_clear_free(*priv);
+               *priv = NULL;
                return NULL;
        }
        wpabuf_put(pv, pv_len);