From: vamsi krishna <vamsin@codeaurora.org>
Date: Wed, 13 Mar 2019 07:03:17 +0000 (+0530)
Subject: nl80211: Clear keys from heap memory before freeing it for get_seqnum
X-Git-Tag: hostap_2_8~235
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4efade31571af785308b826e997ee6d6d412b360;p=thirdparty%2Fhostap.git

nl80211: Clear keys from heap memory before freeing it for get_seqnum

NL80211_CMD_GET_KEY response may return the actual key in addition to
the last used sequence number that we need. That might result in a key
being left in unused heap memory after the buffer is freed.

Explicitly clear the message payload with the possibly included key
material from heap memory before returning from the handler function
(and having libnl free the nlmsg) when key information is obtained from
the driver using the NL80211_CMD_GET_KEY command.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index 9a58b81b7..cc59f1458 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -6132,6 +6132,7 @@ static int get_key_handler(struct nl_msg *msg, void *arg)
 	if (tb[NL80211_ATTR_KEY_SEQ])
 		memcpy(arg, nla_data(tb[NL80211_ATTR_KEY_SEQ]),
 		       min_int(nla_len(tb[NL80211_ATTR_KEY_SEQ]), 6));
+	nl80211_nlmsg_clear(msg);
 	return NL_SKIP;
 }