From: Jouni Malinen <j@w1.fi>
Date: Sun, 5 Mar 2017 14:16:42 +0000 (+0200)
Subject: RADIUS server: Fix error paths in new session creation
X-Git-Tag: hostap_2_7~1507
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de01f254a61a4432ba89f3a5dc950d8678021d44;p=thirdparty%2Fhostap.git

RADIUS server: Fix error paths in new session creation

radius_server_session_free() does not remove the session from the
session list and these radius_server_get_new_session() error paths ended
up leaving a pointer to freed memory into the session list. This
resulted in the following operations failing due to use of freed memory.

Fix this by using radius_server_session_remove() which removes the entry
from the list in addition to calling radius_server_session_free().

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index e8bef45fc..6cce2ff00 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -662,14 +662,14 @@ radius_server_get_new_session(struct radius_server_data *data,
 
 	sess->username = os_malloc(user_len * 4 + 1);
 	if (sess->username == NULL) {
-		radius_server_session_free(data, sess);
+		radius_server_session_remove(data, sess);
 		return NULL;
 	}
 	printf_encode(sess->username, user_len * 4 + 1, user, user_len);
 
 	sess->nas_ip = os_strdup(from_addr);
 	if (sess->nas_ip == NULL) {
-		radius_server_session_free(data, sess);
+		radius_server_session_remove(data, sess);
 		return NULL;
 	}
 
@@ -702,7 +702,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 	if (sess->eap == NULL) {
 		RADIUS_DEBUG("Failed to initialize EAP state machine for the "
 			     "new session");
-		radius_server_session_free(data, sess);
+		radius_server_session_remove(data, sess);
 		return NULL;
 	}
 	sess->eap_if = eap_get_interface(sess->eap);