3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2025-01-10 17:52:36 +01:00

netdev: do not leak auth_cmd

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fa226fbf0f8 in __interceptor_malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.4.0/libasan.so.5+0x10c0f8)
    #1 0x688c98 in l_malloc ell/util.c:62
    #2 0x6c2b19 in msg_alloc ell/genl.c:740
    #3 0x6cb32c in l_genl_msg_new_sized ell/genl.c:1567
    #4 0x424f57 in netdev_build_cmd_authenticate src/netdev.c:3285
    #5 0x425b50 in netdev_sae_tx_authenticate src/netdev.c:3385
This commit is contained in:
Denis Kenzior 2021-12-23 09:47:36 -06:00
parent 60366346fb
commit 7c30fc2cbf

View File

@ -3393,7 +3393,19 @@ static void netdev_sae_tx_authenticate(const uint8_t *body,
return;
}
netdev->auth_cmd = l_genl_msg_ref(msg);
/*
* Sometimes due to the way the scheduling works out, netdev_auth_cb
* is sent after the SAE Authentication reply from the AP arrives.
* Do not leak auth_cmd if this occurs. Note that if auth_cmd is not
* NULL and we are here, there's no further reason to save off auth_cmd.
* This is done only if the kernel's cache lacks the BSS we are trying
* to communicate with.
*/
if (netdev->auth_cmd) {
l_genl_msg_unref(netdev->auth_cmd);
netdev->auth_cmd = NULL;
} else
netdev->auth_cmd = l_genl_msg_ref(msg);
}
static void netdev_sae_tx_associate(void *user_data)
@ -3450,7 +3462,12 @@ static void netdev_fils_tx_authenticate(const uint8_t *body,
return;
}
netdev->auth_cmd = l_genl_msg_ref(msg);
/* See comment in netdev_sae_tx_authenticate */
if (netdev->auth_cmd) {
l_genl_msg_unref(netdev->auth_cmd);
netdev->auth_cmd = NULL;
} else
netdev->auth_cmd = l_genl_msg_ref(msg);
}
static void netdev_fils_tx_associate(struct iovec *fils_iov, size_t n_fils_iov,