From: Andrew Elble <aweits@rit.edu>
Date: Fri, 8 Sep 2017 01:42:02 +0000 (-0400)
Subject: PMKSA: Fix use-after-free in pmksa_cache_clone_entry()
X-Git-Tag: hostap_2_7~1128
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=155bf110881290f2db6b8b4dc510aaa1dbc6a01a;p=thirdparty%2Fhostap.git

PMKSA: Fix use-after-free in pmksa_cache_clone_entry()

pmksa_cache_add_entry() may actually free old_entry if the PMKSA cache
is full. This can result in the PMKSA cache containing entries with
corrupt expiration times.

Signed-off-by: Andrew Elble <aweits@rit.edu>
---

diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c
index e1cfa146a..a353404c2 100644
--- a/src/rsn_supp/pmksa_cache.c
+++ b/src/rsn_supp/pmksa_cache.c
@@ -367,6 +367,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
 			const u8 *aa)
 {
 	struct rsn_pmksa_cache_entry *new_entry;
+	os_time_t old_expiration = old_entry->expiration;
 
 	new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
 				    NULL, NULL, 0,
@@ -378,7 +379,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
 		return NULL;
 
 	/* TODO: reorder entries based on expiration time? */
-	new_entry->expiration = old_entry->expiration;
+	new_entry->expiration = old_expiration;
 	new_entry->opportunistic = 1;
 
 	return new_entry;