mka: Fix use-after-free when transmit secure channels are deleted

ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
data, but secy_delete_transmit_sc() still needs it. Since this functions
are called sequentially, secy_delete_transmit_sc() can be called from
ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.

Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 31905ed6bb06054851ff7134462966eb892da422..1d4ed89c065494e49238c2a38d43222a5025b184 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc(
        dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
                ieee802_1x_delete_transmit_sa(participant->kay, psa);
 
+       secy_delete_transmit_sc(participant->kay, psc);
        os_free(psc);
 }
 
@@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
                ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
        }
        ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
-       secy_delete_transmit_sc(kay, participant->txsc);
 
        os_memset(&participant->cak, 0, sizeof(participant->cak));
        os_memset(&participant->kek, 0, sizeof(participant->kek));