From e265838a434d9d759776a7657ed665ddc1e83a54 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 6 Feb 2016 00:26:31 +0200 Subject: [PATCH] EAP-FAST: Fix an error path in PAC binary format parsing Need to clear the pac pointer for the first error case to avoid freeing the previous PAC entry if the following entry has an invalid header. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_fast_pac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/eap_peer/eap_fast_pac.c b/src/eap_peer/eap_fast_pac.c index 0220caeda..c81586035 100644 --- a/src/eap_peer/eap_fast_pac.c +++ b/src/eap_peer/eap_fast_pac.c @@ -802,8 +802,10 @@ int eap_fast_load_pac_bin(struct eap_sm *sm, struct eap_fast_pac **pac_root, while (pos < end) { u16 val; - if (end - pos < 2 + EAP_FAST_PAC_KEY_LEN + 2 + 2) + if (end - pos < 2 + EAP_FAST_PAC_KEY_LEN + 2 + 2) { + pac = NULL; goto parse_fail; + } pac = os_zalloc(sizeof(*pac)); if (pac == NULL) -- 2.47.2