netdev: do not leak auth_cmd

Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7fa226fbf0f8 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.4.0/libasan.so.5+0x10c0f8) #1 0x688c98 in l_malloc ell/util.c:62 #2 0x6c2b19 in msg_alloc ell/genl.c:740 #3 0x6cb32c in l_genl_msg_new_sized ell/genl.c:1567 #4 0x424f57 in netdev_build_cmd_authenticate src/netdev.c:3285 #5 0x425b50 in netdev_sae_tx_authenticate src/netdev.c:3385
2021-12-23 09:47:36 -06:00 · 2021-12-23 09:47:36 -06:00 · 7c30fc2cbf
parent 60366346fb
commit 7c30fc2cbf
1 changed files with 19 additions and 2 deletions
--- a/src/netdev.c
+++ b/src/netdev.c
@ -3393,7 +3393,19 @@ static void netdev_sae_tx_authenticate(const uint8_t *body,
 		return;
 	}

-	netdev->auth_cmd = l_genl_msg_ref(msg);
+	/*
+	 * Sometimes due to the way the scheduling works out, netdev_auth_cb
+	 * is sent after the SAE Authentication reply from the AP arrives.
+	 * Do not leak auth_cmd if this occurs.  Note that if auth_cmd is not
+	 * NULL and we are here, there's no further reason to save off auth_cmd.
+	 * This is done only if the kernel's cache lacks the BSS we are trying
+	 * to communicate with.
+	 */
+	if (netdev->auth_cmd) {
+		l_genl_msg_unref(netdev->auth_cmd);
+		netdev->auth_cmd = NULL;
+	} else
+		netdev->auth_cmd = l_genl_msg_ref(msg);
 }

 static void netdev_sae_tx_associate(void *user_data)
@ -3450,7 +3462,12 @@ static void netdev_fils_tx_authenticate(const uint8_t *body,
 		return;
 	}

-	netdev->auth_cmd = l_genl_msg_ref(msg);
+	/* See comment in netdev_sae_tx_authenticate */
+	if (netdev->auth_cmd) {
+		l_genl_msg_unref(netdev->auth_cmd);
+		netdev->auth_cmd = NULL;
+	} else
+		netdev->auth_cmd = l_genl_msg_ref(msg);
 }

 static void netdev_fils_tx_associate(struct iovec *fils_iov, size_t n_fils_iov,