EAP-SIM/AKA peer: Fix use-after-free for privacy identity

When the privacy protected itentity is used for EAP-SIM/AKA, the buffer
containing the identity was freed just before its use. Fix that by
reordering the operations.

Fixes: 881cb4198b55 ("EAP-SIM/AKA peer: Simplify identity selection for MK derivation")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 199ea0aab7abee428645243ac08ef98bc4124c32..935286242fd886ce9b183a12e653db22ff26d2b8 100644 (file)
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -1757,12 +1757,13 @@ struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted)
                return NULL;
 
        wpabuf_put_data(resp, identity, identity_len);
-       wpabuf_free(privacy_identity);
 
        os_free(sm->identity);
        sm->identity = os_memdup(identity, identity_len);
        sm->identity_len = identity_len;
 
+       wpabuf_free(privacy_identity);
+
        return resp;
 }