From: Benjamin Berg <benjamin.berg@intel.com>
Date: Thu, 12 Jun 2025 08:10:19 +0000 (+0200)
Subject: WPS: Fix leak of dh_ctx in error cases
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0c922f11bb1eead2771d4bcdf5adaa724498dae3;p=thirdparty%2Fhostap.git

WPS: Fix leak of dh_ctx in error cases

Usually the dh_ctx is passed into the WPS state and is freed in that
case. However, under some circumstances this may not happen and then a
leak can occur.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 82d4d5fdd..ceaf9a453 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -20,6 +20,7 @@
 #include "wps/wps_defs.h"
 #include "wps/wps_dev_attr.h"
 #include "wps/wps_attr_parse.h"
+#include "crypto/dh_group5.h"
 #include "hostapd.h"
 #include "ap_config.h"
 #include "ap_drv_ops.h"
@@ -1071,6 +1072,7 @@ static void hostapd_free_wps(struct wps_context *wps)
 	wps_device_data_free(&wps->dev);
 	bin_clear_free(wps->network_key, wps->network_key_len);
 	hostapd_wps_nfc_clear(wps);
+	dh5_free(wps->dh_ctx);
 	wpabuf_free(wps->dh_pubkey);
 	wpabuf_free(wps->dh_privkey);
 	forced_memzero(wps->psk, sizeof(wps->psk));
diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index d332f000c..405c5d605 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1709,6 +1709,7 @@ void wpas_wps_deinit(struct wpa_supplicant *wpa_s)
 #endif /* CONFIG_WPS_ER */
 
 	wps_registrar_deinit(wpa_s->wps->registrar);
+	dh5_free(wpa_s->wps->dh_ctx);
 	wpabuf_free(wpa_s->wps->dh_pubkey);
 	wpabuf_free(wpa_s->wps->dh_privkey);
 	wpabuf_free(wpa_s->wps->dev.vendor_ext_m1);