From: Burvin Shi <burvin@amazon.com>
Date: Fri, 21 Nov 2025 07:07:04 +0000 (+0000)
Subject: DPP: Fix error path processing in decryption of E-id
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=480f8a992f33d0cad53a98e2cfbf1d733c6ca8ca;p=thirdparty%2Fhostap.git

DPP: Fix error path processing in decryption of E-id

If any of the operations on a successfully allocated e_id fails
dpp_decrypt_e_id() freed e_id, but forgot to clear the pointer that gets
returned to the caller. This could result in at least a theoretical use
of freed memory. Fix this by clearing the pointer to return an
appropriate indication of the failed operation.

Signed-off-by: Burvin Shi <burvin@amazon.com>
---

diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
index f17f95a2c..4b5f24378 100644
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -2371,6 +2371,7 @@ struct crypto_ec_point * dpp_decrypt_e_id(struct crypto_ec_key *ppkey,
 	    crypto_ec_point_invert(ec, e_id) ||
 	    crypto_ec_point_add(ec, e_id, e_prime_id_point, e_id)) {
 		crypto_ec_point_deinit(e_id, 1);
+		e_id = NULL;
 		goto fail;
 	}