nl80211: Clear keys from heap memory before freeing it for get_seqnum

NL80211_CMD_GET_KEY response may return the actual key in addition to
the last used sequence number that we need. That might result in a key
being left in unused heap memory after the buffer is freed.

Explicitly clear the message payload with the possibly included key
material from heap memory before returning from the handler function
(and having libnl free the nlmsg) when key information is obtained from
the driver using the NL80211_CMD_GET_KEY command.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 9a58b81b7ec713fc33cd9939c89897a376371800..cc59f1458f7f267c786889914ba19c2037724b81 100644 (file)
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -6132,6 +6132,7 @@ static int get_key_handler(struct nl_msg *msg, void *arg)
        if (tb[NL80211_ATTR_KEY_SEQ])
                memcpy(arg, nla_data(tb[NL80211_ATTR_KEY_SEQ]),
                       min_int(nla_len(tb[NL80211_ATTR_KEY_SEQ]), 6));
+       nl80211_nlmsg_clear(msg);
        return NL_SKIP;
 }