From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 5 Feb 2016 22:26:31 +0000 (+0200)
Subject: EAP-FAST: Fix an error path in PAC binary format parsing
X-Git-Tag: hostap_2_6~953
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e265838a434d9d759776a7657ed665ddc1e83a54;p=thirdparty%2Fhostap.git

EAP-FAST: Fix an error path in PAC binary format parsing

Need to clear the pac pointer for the first error case to avoid freeing
the previous PAC entry if the following entry has an invalid header.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/src/eap_peer/eap_fast_pac.c b/src/eap_peer/eap_fast_pac.c
index 0220caeda..c81586035 100644
--- a/src/eap_peer/eap_fast_pac.c
+++ b/src/eap_peer/eap_fast_pac.c
@@ -802,8 +802,10 @@ int eap_fast_load_pac_bin(struct eap_sm *sm, struct eap_fast_pac **pac_root,
 	while (pos < end) {
 		u16 val;
 
-		if (end - pos < 2 + EAP_FAST_PAC_KEY_LEN + 2 + 2)
+		if (end - pos < 2 + EAP_FAST_PAC_KEY_LEN + 2 + 2) {
+			pac = NULL;
 			goto parse_fail;
+		}
 
 		pac = os_zalloc(sizeof(*pac));
 		if (pac == NULL)