From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 2 Nov 2020 14:52:01 +0000 (+0200)
Subject: DPP2: Fix error path handling in enterprise provisioning
X-Git-Tag: hostap_2_10~788
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d490296bcdb6221e0e00b1c3ca3ca2f3ff444bf;p=thirdparty%2Fhostap.git

DPP2: Fix error path handling in enterprise provisioning

The allocated memory pointed by the pem pointer was freed on an error
path without clearing the pointer to NULL before returning it from the
function. This could have resulted in use of freed memory in an error
case. Fix this by clearing the pointer so that the function returns NULL
properly in the case of this error.

Fixes: ace3723d9879 ("DPP2: Enterprise provisioning (Enrollee)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
index 37c2b692b..c75fc7871 100644
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -2868,6 +2868,7 @@ struct wpabuf * dpp_pkcs7_certs(const struct wpabuf *pkcs7)
 	res = BIO_read(out, wpabuf_put(pem, 0), rlen);
 	if (res <= 0) {
 		wpabuf_free(pem);
+		pem = NULL;
 		goto fail;
 	}
 	wpabuf_put(pem, res);