AP: Avoid double free of key data buffer if AES unwrap fails

key_data_buf was freed when aes_unwrap() failed, and then after goto
out, key_data_buf would be freed again. The separate feeing on
aes_unwrap() failure is not needed, so remove it.

Fixes: 4abc37e67b ("Support Key Data field decryption for EAPOL-Key msg 2/4 and 4/4")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 49866c276ce62f9f959367e85ab3058dc9ca0974..d067b2cfab29d9e602435071c3a4a11a114d846f 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -3811,7 +3811,6 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                key_data_buf_len = key_data_length;
                if (aes_unwrap(PTK.kek, PTK.kek_len, key_data_length / 8,
                               key_data, key_data_buf)) {
-                       bin_clear_free(key_data_buf, key_data_buf_len);
                        wpa_printf(MSG_INFO,
                                   "RSN: AES unwrap failed - could not decrypt EAPOL-Key key data");
                        goto out;