From 0c922f11bb1eead2771d4bcdf5adaa724498dae3 Mon Sep 17 00:00:00 2001 From: Benjamin Berg Date: Thu, 12 Jun 2025 10:10:19 +0200 Subject: [PATCH] WPS: Fix leak of dh_ctx in error cases Usually the dh_ctx is passed into the WPS state and is freed in that case. However, under some circumstances this may not happen and then a leak can occur. Signed-off-by: Benjamin Berg Reviewed-by: Andrei Otcheretianski --- src/ap/wps_hostapd.c | 2 ++ wpa_supplicant/wps_supplicant.c | 1 + 2 files changed, 3 insertions(+) diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c index 82d4d5fdd5..ceaf9a4538 100644 --- a/src/ap/wps_hostapd.c +++ b/src/ap/wps_hostapd.c @@ -20,6 +20,7 @@ #include "wps/wps_defs.h" #include "wps/wps_dev_attr.h" #include "wps/wps_attr_parse.h" +#include "crypto/dh_group5.h" #include "hostapd.h" #include "ap_config.h" #include "ap_drv_ops.h" @@ -1071,6 +1072,7 @@ static void hostapd_free_wps(struct wps_context *wps) wps_device_data_free(&wps->dev); bin_clear_free(wps->network_key, wps->network_key_len); hostapd_wps_nfc_clear(wps); + dh5_free(wps->dh_ctx); wpabuf_free(wps->dh_pubkey); wpabuf_free(wps->dh_privkey); forced_memzero(wps->psk, sizeof(wps->psk)); diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c index d332f000c3..405c5d6051 100644 --- a/wpa_supplicant/wps_supplicant.c +++ b/wpa_supplicant/wps_supplicant.c @@ -1709,6 +1709,7 @@ void wpas_wps_deinit(struct wpa_supplicant *wpa_s) #endif /* CONFIG_WPS_ER */ wps_registrar_deinit(wpa_s->wps->registrar); + dh5_free(wpa_s->wps->dh_ctx); wpabuf_free(wpa_s->wps->dh_pubkey); wpabuf_free(wpa_s->wps->dh_privkey); wpabuf_free(wpa_s->wps->dev.vendor_ext_m1); -- 2.47.2