From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Mon, 22 Jan 2024 09:47:00 +0000 (+0200)
Subject: EAP-SIM/AKA peer: Fix use-after-free for privacy identity
X-Git-Tag: hostap_2_11~443
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3d6fce848856feb6d835e52a2f50472c19a5950;p=thirdparty%2Fhostap.git

EAP-SIM/AKA peer: Fix use-after-free for privacy identity

When the privacy protected itentity is used for EAP-SIM/AKA, the buffer
containing the identity was freed just before its use. Fix that by
reordering the operations.

Fixes: 881cb4198b55 ("EAP-SIM/AKA peer: Simplify identity selection for MK derivation")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 199ea0aab..935286242 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -1757,12 +1757,13 @@ struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted)
 		return NULL;
 
 	wpabuf_put_data(resp, identity, identity_len);
-	wpabuf_free(privacy_identity);
 
 	os_free(sm->identity);
 	sm->identity = os_memdup(identity, identity_len);
 	sm->identity_len = identity_len;
 
+	wpabuf_free(privacy_identity);
+
 	return resp;
 }