From: Davide Caratti <davide.caratti@gmail.com>
Date: Thu, 16 Mar 2017 13:01:55 +0000 (+0100)
Subject: mka: Fix use-after-free when transmit secure channels are deleted
X-Git-Tag: hostap_2_7~1431
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e50df5d2a265a462b0efc056d360649608f160bf;p=thirdparty%2Fhostap.git

mka: Fix use-after-free when transmit secure channels are deleted

ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
data, but secy_delete_transmit_sc() still needs it. Since this functions
are called sequentially, secy_delete_transmit_sc() can be called from
ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.

Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
---

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 31905ed6b..1d4ed89c0 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc(
 	dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
 		ieee802_1x_delete_transmit_sa(participant->kay, psa);
 
+	secy_delete_transmit_sc(participant->kay, psc);
 	os_free(psc);
 }
 
@@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
 		ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
 	}
 	ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
-	secy_delete_transmit_sc(kay, participant->txsc);
 
 	os_memset(&participant->cak, 0, sizeof(participant->cak));
 	os_memset(&participant->kek, 0, sizeof(participant->kek));