From 7c30fc2cbf087d42c59bb1c773bcb3c60c52d0dc Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Thu, 23 Dec 2021 09:47:36 -0600 Subject: [PATCH] netdev: do not leak auth_cmd Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7fa226fbf0f8 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.4.0/libasan.so.5+0x10c0f8) #1 0x688c98 in l_malloc ell/util.c:62 #2 0x6c2b19 in msg_alloc ell/genl.c:740 #3 0x6cb32c in l_genl_msg_new_sized ell/genl.c:1567 #4 0x424f57 in netdev_build_cmd_authenticate src/netdev.c:3285 #5 0x425b50 in netdev_sae_tx_authenticate src/netdev.c:3385 --- src/netdev.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/netdev.c b/src/netdev.c index 4662705b..78467d3e 100644 --- a/src/netdev.c +++ b/src/netdev.c @@ -3393,7 +3393,19 @@ static void netdev_sae_tx_authenticate(const uint8_t *body, return; } - netdev->auth_cmd = l_genl_msg_ref(msg); + /* + * Sometimes due to the way the scheduling works out, netdev_auth_cb + * is sent after the SAE Authentication reply from the AP arrives. + * Do not leak auth_cmd if this occurs. Note that if auth_cmd is not + * NULL and we are here, there's no further reason to save off auth_cmd. + * This is done only if the kernel's cache lacks the BSS we are trying + * to communicate with. + */ + if (netdev->auth_cmd) { + l_genl_msg_unref(netdev->auth_cmd); + netdev->auth_cmd = NULL; + } else + netdev->auth_cmd = l_genl_msg_ref(msg); } static void netdev_sae_tx_associate(void *user_data) @@ -3450,7 +3462,12 @@ static void netdev_fils_tx_authenticate(const uint8_t *body, return; } - netdev->auth_cmd = l_genl_msg_ref(msg); + /* See comment in netdev_sae_tx_authenticate */ + if (netdev->auth_cmd) { + l_genl_msg_unref(netdev->auth_cmd); + netdev->auth_cmd = NULL; + } else + netdev->auth_cmd = l_genl_msg_ref(msg); } static void netdev_fils_tx_associate(struct iovec *fils_iov, size_t n_fils_iov,