From: Jouni Malinen <jouni@codeaurora.org>
Date: Wed, 8 May 2019 15:32:29 +0000 (+0300)
Subject: DPP: Fix memory leak in EC_GROUP handling
X-Git-Tag: hostap_2_9~289
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57ec74ea9b9afb7d0f841cbd70955152251b4813;p=thirdparty%2Fhostap.git

DPP: Fix memory leak in EC_GROUP handling

EC_GROUP_new_by_curve_name() allocates memory for the returned pointer,
so need to free this with EC_GROUP_free() before leaving the calling
functions. This was leaking memory when parsing JWK and when performing
PKEX.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/common/dpp.c b/src/common/dpp.c
index fa603a9be..614f82dca 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -5254,6 +5254,7 @@ static EVP_PKEY * dpp_parse_jwk(struct json_token *jwk,
 
 	pkey = dpp_set_pubkey_point_group(group, wpabuf_head(x), wpabuf_head(y),
 					  wpabuf_len(x));
+	EC_GROUP_free(group);
 	*key_curve = curve;
 
 fail:
@@ -6590,6 +6591,7 @@ static EVP_PKEY * dpp_pkex_get_role_elem(const struct dpp_curve_params *curve,
 	EC_GROUP *group;
 	size_t len = curve->prime_len;
 	const u8 *x, *y;
+	EVP_PKEY *res;
 
 	switch (curve->ike_group) {
 	case 19:
@@ -6623,7 +6625,9 @@ static EVP_PKEY * dpp_pkex_get_role_elem(const struct dpp_curve_params *curve,
 	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
 	if (!group)
 		return NULL;
-	return dpp_set_pubkey_point_group(group, x, y, len);
+	res = dpp_set_pubkey_point_group(group, x, y, len);
+	EC_GROUP_free(group);
+	return res;
 }
 
 
@@ -6851,6 +6855,7 @@ fail:
 	BN_free(y);
 	EC_POINT_free(point);
 	BN_CTX_free(ctx);
+	EC_GROUP_free(group);
 
 	return ret;
 }