]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
projects / thirdparty / hostap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: faf0fef)
mka: Fix use-after-free when receive secure channels are deleted
authorDavide Caratti <davide.caratti@gmail.com>
Thu, 16 Mar 2017 13:01:54 +0000 (14:01 +0100)
committerJouni Malinen <j@w1.fi>
Sun, 26 Mar 2017 18:13:21 +0000 (21:13 +0300)
ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data,
but secy_delete_receive_sc() still needs it. Since these two functions
are always called sequentially, secy_delete_receive_sc() can be called
from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed.

Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
src/pae/ieee802_1x_kay.c patch | blob | blame | history

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 3f9e53da978743fa325be14870d19d27b0c5f33e..31905ed6bb06054851ff7134462966eb892da422 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -532,6 +532,7 @@ ieee802_1x_kay_deinit_receive_sc(
                ieee802_1x_delete_receive_sa(participant->kay, psa);
 
        dl_list_del(&psc->list);
+       secy_delete_receive_sc(participant->kay, psc);
        os_free(psc);
 }
 
@@ -2363,7 +2364,6 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
                                if (sci_equal(&rxsc->sci, &peer->sci)) {
                                        ieee802_1x_kay_deinit_receive_sc(
                                                participant, rxsc);
-                                       secy_delete_receive_sc(kay, rxsc);
                                }
                        }
                        dl_list_del(&peer->list);
@@ -3433,7 +3433,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
                rxsc = dl_list_entry(participant->rxsc_list.next,
                                     struct receive_sc, list);
                ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
-               secy_delete_receive_sc(kay, rxsc);
        }
        ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
        secy_delete_transmit_sc(kay, participant->txsc);
Unnamed repository; edit this file 'description' to name the repository.