FILS: Explicitly clear plaintext buffer for Assoc Resp

This buffer may contain GTK and IGTK, so better clear it explicitly from
heap memory before freeing the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index e5a777bbbce1f3914254d927bedf31f1c98d0ccf..e1c0c2ccb6db9574f94776586b7e09f1a9325969 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2613,7 +2613,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
        if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
                wpa_printf(MSG_DEBUG,
                           "FILS: Not enough room for FILS elements");
-               wpabuf_free(plain);
+               wpabuf_clear_free(plain);
                return -1;
        }
 
@@ -2623,7 +2623,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
        if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
                            wpabuf_head(plain), wpabuf_len(plain),
                            5, aad, aad_len, pos) < 0) {
-               wpabuf_free(plain);
+               wpabuf_clear_free(plain);
                return -1;
        }
 
@@ -2631,7 +2631,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
                    "FILS: Encrypted Association Response elements",
                    pos, AES_BLOCK_SIZE + wpabuf_len(plain));
        current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
-       wpabuf_free(plain);
+       wpabuf_clear_free(plain);
 
        sm->fils_completed = 1;
 
@@ -2685,7 +2685,7 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
                 * of GTK in the BSS.
                 */
                if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
-                       wpabuf_free(plain);
+                       wpabuf_clear_free(plain);
                        return NULL;
                }
                gtk = dummy_gtk;
@@ -2712,13 +2712,13 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
                if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
                        wpa_printf(MSG_WARNING,
                                   "FILS: Failed to get channel info for OCI element");
-                       wpabuf_free(plain);
+                       wpabuf_clear_free(plain);
                        return NULL;
                }
 
                pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
                if (ocv_insert_extended_oci(&ci, pos) < 0) {
-                       wpabuf_free(plain);
+                       wpabuf_clear_free(plain);
                        return NULL;
                }
        }
@@ -2781,7 +2781,7 @@ u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
 
        wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
                   (unsigned int) wpabuf_len(plain));
-       wpabuf_free(plain);
+       wpabuf_clear_free(plain);
        sm->fils_completed = 1;
        return pos;
 }