EAP-TTLS: Fix possible memory leak in eap_ttls_phase2_request_mschap()

The msg buffer needs to be freed on these two error paths.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index 01112b5df70044724df0e1b4eded87f954f77a54..c8a05fdcaff812e4d1cc726ec85d8b3a7686ed7b 100644 (file)
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -625,15 +625,25 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
        pos += 24;
        if (pwhash) {
                /* NT-Response */
-               if (challenge_response(challenge, password, pos))
+               if (challenge_response(challenge, password, pos)) {
+                       wpa_printf(MSG_ERROR,
+                                  "EAP-TTLS/MSCHAP: Failed derive password hash");
+                       wpabuf_free(msg);
                        return -1;
+               }
+
                wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
                                password, 16);
        } else {
                /* NT-Response */
                if (nt_challenge_response(challenge, password, password_len,
-                                         pos))
+                                         pos)) {
+                       wpa_printf(MSG_ERROR,
+                                  "EAP-TTLS/MSCHAP: Failed derive password");
+                       wpabuf_free(msg);
                        return -1;
+               }
+
                wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
                                      password, password_len);
        }