Kernel
/
iwd
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git
3
0
Fork 0
Code Releases Activity

ap: eapol_sm lifecycle fixes 

On one hand when we're called with HANDSHAKE_EVENT_FAILED or
HANDSHAKE_EVENT_SETTING_KEYS_FAILED the eapol_sm will be freed in
eapol.c, fix a double-free by setting it to NULL before ap_free_sta
is called.
On the other hand make sure we call eapol_sm_free before setting
sta->sm to NULL in ap_drop_rsna to avoid potential leak and avoid
the eapol_sm continuing to use the handshake_state we freed.
This commit is contained in:
Andrew Zaborowski 2018-08-24 03:37:53 +02:00 committed by Denis Kenzior
parent c0a70cc9b7
commit f460a7e12c
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/ap.c
View File

@ -229,7 +229,12 @@ static void ap_drop_rsna(struct sta_state *sta)
l_error("Issuing DEL_KEY failed");
}
handshake_state_free(sta->hs);
if (sta->sm)
eapol_sm_free(sta->sm);
if (sta->hs)
handshake_state_free(sta->hs);
sta->hs = NULL;
sta->sm = NULL;
}
@ -370,6 +375,7 @@ static void ap_handshake_event(struct handshake_state *hs,
netdev_handshake_failed(hs, l_get_u16(event_data));
/* fall through */
case HANDSHAKE_EVENT_SETTING_KEYS_FAILED:
sta->sm = NULL;
ap_remove_sta(sta);
default:
break;
@ -425,6 +431,7 @@ static void ap_associate_sta_cb(struct l_genl_msg *msg, void *user_data)
sta->sm = eapol_sm_new(sta->hs);
if (!sta->sm) {
handshake_state_free(sta->hs);
sta->hs = NULL;
l_error("could not create sm object");
goto error;
}