From: Benjamin Berg <benjamin.berg@intel.com>
Date: Tue, 7 Oct 2025 11:31:09 +0000 (+0200)
Subject: P2P: Fix PASN related memory leaks
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1330bf8be6efead1adede2b7d3fed69522cc65be;p=thirdparty%2Fhostap.git

P2P: Fix PASN related memory leaks

The hwsim tests randomly expose a memory leak in a P2P test.
Unfortunately, it is not clear which exact flow or test is triggering
this memory leak. As such, this just fixes the leaks themselves rather
than adding, e.g., a wpa_pasn_reset() call to fix it that way.

This should fix the seen leak reports:

MEMLEAK[0x550000592a10]: len 172
WPA_TRACE: memleak - START
[0]: wpa_supplicant/wpa_supplicant(os_malloc+0x52) [0x550000070242]
     os_malloc() src/utils/os_unix.c:740
[1]: wpa_supplicant/wpa_supplicant(os_memdup+0x19) [0x550000070289]
     os_memdup() src/utils/os_unix.c:532
[2]: wpa_supplicant/wpa_supplicant(p2p_prepare_data_element+0xdf) [0x5500001067df]
     p2p_prepare_data_element() src/p2p/p2p.c:6907
[3]: wpa_supplicant/wpa_supplicant(+0xe0be7) [0x5500000e0be7]
     wpas_p2p_prepare_data_element() p2p_supplicant.c:5679
[4]: wpa_supplicant/wpa_supplicant(handle_auth_pasn_resp+0x192) [0x5500001d6bf2]
     handle_auth_pasn_resp() src/pasn/pasn_responder.c:569
[5]: wpa_supplicant/wpa_supplicant(handle_auth_pasn_1+0x43e) [0x5500001d767e]
     handle_auth_pasn_1() src/pasn/pasn_responder.c:976
[6]: wpa_supplicant/wpa_supplicant(+0x107105) [0x550000107105]
     p2p_handle_pasn_auth() src/p2p/p2p.c:7184
[7]: wpa_supplicant/wpa_supplicant(p2p_pasn_auth_rx+0xb0) [0x550000107310]
     p2p_pasn_auth_rx() src/p2p/p2p.c:7269
[8]: wpa_supplicant/wpa_supplicant(wpas_p2p_pasn_auth_rx+0x46) [0x5500000f6836]
     wpas_p2p_pasn_auth_rx() p2p_supplicant.c:11619
[9]: wpa_supplicant/wpa_supplicant(+0x2a4e01) [0x5500002a4e01]
     wpas_pasn_auth() events.c:6251
[10]: wpa_supplicant/wpa_supplicant(wpa_supplicant_event+0x17fb) [0x5500002af45b]
     wpa_supplicant_event() events.c:6782
[11]: wpa_supplicant/wpa_supplicant(+0x2de5fc) [0x5500002de5fc]
     mlme_event_mgmt() src/drivers/driver_nl80211_event.c:1451
[12]: wpa_supplicant/wpa_supplicant(+0x2deb01) [0x5500002deb01]
     mlme_event() src/drivers/driver_nl80211_event.c:1884
[13]: wpa_supplicant/wpa_supplicant(process_bss_event+0x18d) [0x5500002e1f2d]
     process_bss_event() src/drivers/driver_nl80211_event.c:4549
[14]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs_report+0x391) [0x401c9861]
[15]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs+0xd) [0x401ca07d]
WPA_TRACE: memleak - END
MEMLEAK[0x550000551da0]: len 56
WPA_TRACE: memleak - START
[0]: wpa_supplicant/wpa_supplicant(os_malloc+0x52) [0x550000070242]
     os_malloc() src/utils/os_unix.c:740
[1]: wpa_supplicant/wpa_supplicant(os_zalloc+0xe) [0x5500000704ee]
     os_zalloc() src/utils/os_unix.c:798
[2]: wpa_supplicant/wpa_supplicant(crypto_ec_init+0x23) [0x550000225cd3]
     crypto_ec_init() src/crypto/crypto_openssl.c:2442
[3]: wpa_supplicant/wpa_supplicant(crypto_ecdh_init+0x29) [0x550000226789]
     crypto_ecdh_init() src/crypto/crypto_openssl.c:2748
[4]: wpa_supplicant/wpa_supplicant(handle_auth_pasn_1+0x249) [0x5500001d7489]
     handle_auth_pasn_1() src/pasn/pasn_responder.c:807
[5]: wpa_supplicant/wpa_supplicant(+0x107105) [0x550000107105]
     p2p_handle_pasn_auth() src/p2p/p2p.c:7184
[6]: wpa_supplicant/wpa_supplicant(p2p_pasn_auth_rx+0xb0) [0x550000107310]
     p2p_pasn_auth_rx() src/p2p/p2p.c:7269
[7]: wpa_supplicant/wpa_supplicant(wpas_p2p_pasn_auth_rx+0x46) [0x5500000f6836]
     wpas_p2p_pasn_auth_rx() p2p_supplicant.c:11619
[8]: wpa_supplicant/wpa_supplicant(+0x2a4e01) [0x5500002a4e01]
     wpas_pasn_auth() events.c:6251
[9]: wpa_supplicant/wpa_supplicant(wpa_supplicant_event+0x17fb) [0x5500002af45b]
     wpa_supplicant_event() events.c:6782
[10]: wpa_supplicant/wpa_supplicant(+0x2de5fc) [0x5500002de5fc]
     mlme_event_mgmt() src/drivers/driver_nl80211_event.c:1451
[11]: wpa_supplicant/wpa_supplicant(+0x2deb01) [0x5500002deb01]
     mlme_event() src/drivers/driver_nl80211_event.c:1884
[12]: wpa_supplicant/wpa_supplicant(process_bss_event+0x18d) [0x5500002e1f2d]
     process_bss_event() src/drivers/driver_nl80211_event.c:4549
[13]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs_report+0x391) [0x401c9861]
[14]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs+0xd) [0x401ca07d]
[15]: wpa_supplicant/wpa_supplicant(+0x2bd83f) [0x5500002bd83f]
     wpa_driver_nl80211_event_receive() src/drivers/driver_nl80211.c:1932
WPA_TRACE: memleak - END
MEMLEAK[0x550000570410]: len 16
WPA_TRACE: memleak - START
[0]: wpa_supplicant/wpa_supplicant(os_malloc+0x52) [0x550000070242]
     os_malloc() src/utils/os_unix.c:740
[1]: wpa_supplicant/wpa_supplicant(os_zalloc+0xe) [0x5500000704ee]
     os_zalloc() src/utils/os_unix.c:798
[2]: wpa_supplicant/wpa_supplicant(crypto_ecdh_init+0x19) [0x550000226779]
     crypto_ecdh_init() src/crypto/crypto_openssl.c:2744
[3]: wpa_supplicant/wpa_supplicant(handle_auth_pasn_1+0x249) [0x5500001d7489]
     handle_auth_pasn_1() src/pasn/pasn_responder.c:807
[4]: wpa_supplicant/wpa_supplicant(+0x107105) [0x550000107105]
     p2p_handle_pasn_auth() src/p2p/p2p.c:7184
[5]: wpa_supplicant/wpa_supplicant(p2p_pasn_auth_rx+0xb0) [0x550000107310]
     p2p_pasn_auth_rx() src/p2p/p2p.c:7269
[6]: wpa_supplicant/wpa_supplicant(wpas_p2p_pasn_auth_rx+0x46) [0x5500000f6836]
     wpas_p2p_pasn_auth_rx() p2p_supplicant.c:11619
[7]: wpa_supplicant/wpa_supplicant(+0x2a4e01) [0x5500002a4e01]
     wpas_pasn_auth() events.c:6251
[8]: wpa_supplicant/wpa_supplicant(wpa_supplicant_event+0x17fb) [0x5500002af45b]
     wpa_supplicant_event() events.c:6782
[9]: wpa_supplicant/wpa_supplicant(+0x2de5fc) [0x5500002de5fc]
     mlme_event_mgmt() src/drivers/driver_nl80211_event.c:1451
[10]: wpa_supplicant/wpa_supplicant(+0x2deb01) [0x5500002deb01]
     mlme_event() src/drivers/driver_nl80211_event.c:1884
[11]: wpa_supplicant/wpa_supplicant(process_bss_event+0x18d) [0x5500002e1f2d]
     process_bss_event() src/drivers/driver_nl80211_event.c:4549
[12]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs_report+0x391) [0x401c9861]
[13]: /lib/x86_64-linux-gnu/libnl-3.so.200(nl_recvmsgs+0xd) [0x401ca07d]
[14]: wpa_supplicant/wpa_supplicant(+0x2bd83f) [0x5500002bd83f]
     wpa_driver_nl80211_event_receive() src/drivers/driver_nl80211.c:1932
[15]: wpa_supplicant/wpa_supplicant(+0x71a1d) [0x550000071a1d]
     eloop_sock_table_dispatch() src/utils/eloop.c:606
WPA_TRACE: memleak - END
MEMLEAK: total 244 bytes

Fixes: e147d24a0775 ("P2P2: Add support for GO Negotiation wrapped in PASN auth frame")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
CC: Shivani Baranwal <quic_shivbara@quicinc.com>
---

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index b19000f4e..a2d78db5f 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -6904,12 +6904,8 @@ int p2p_prepare_data_element(struct p2p_data *p2p, const u8 *peer_addr)
 	if (p2p_pasn_add_encrypted_data(p2p, dev, extra_ies) < 0)
 		p2p_dbg(p2p, "Failed to add PASN encrypted elements");
 
-	pasn->extra_ies = os_memdup(wpabuf_head_u8(extra_ies),
-				    wpabuf_len(extra_ies));
-	if (!pasn->extra_ies)
-		goto out;
-	pasn->extra_ies_len = wpabuf_len(extra_ies);
-	ret = 0;
+	ret = pasn_set_extra_ies(pasn, wpabuf_head_u8(extra_ies),
+				 wpabuf_len(extra_ies));
 
 out:
 	wpabuf_free(extra_ies);
diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c
index 179ecc4ea..45dd22649 100644
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@@ -807,6 +807,10 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
 		return -1;
 	}
 
+	if (pasn->ecdh) {
+		crypto_ecdh_deinit(pasn->ecdh);
+		pasn->ecdh = NULL;
+	}
 	pasn->ecdh = crypto_ecdh_init(pasn_params.group);
 	if (!pasn->ecdh) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");