From f460a7e12c72d9dc9d2d5dfc038cf76980ba953b Mon Sep 17 00:00:00 2001
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
Date: Fri, 24 Aug 2018 03:37:53 +0200
Subject: [PATCH] ap: eapol_sm lifecycle fixes

On one hand when we're called with HANDSHAKE_EVENT_FAILED or
HANDSHAKE_EVENT_SETTING_KEYS_FAILED the eapol_sm will be freed in
eapol.c, fix a double-free by setting it to NULL before ap_free_sta
is called.
On the other hand make sure we call eapol_sm_free before setting
sta->sm to NULL in ap_drop_rsna to avoid potential leak and avoid
the eapol_sm continuing to use the handshake_state we freed.
---
 src/ap.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/ap.c b/src/ap.c
index 4068d26f..89990612 100644
--- a/src/ap.c
+++ b/src/ap.c
@@ -229,7 +229,12 @@ static void ap_drop_rsna(struct sta_state *sta)
 		l_error("Issuing DEL_KEY failed");
 	}
 
-	handshake_state_free(sta->hs);
+	if (sta->sm)
+		eapol_sm_free(sta->sm);
+
+	if (sta->hs)
+		handshake_state_free(sta->hs);
+
 	sta->hs = NULL;
 	sta->sm = NULL;
 }
@@ -370,6 +375,7 @@ static void ap_handshake_event(struct handshake_state *hs,
 		netdev_handshake_failed(hs, l_get_u16(event_data));
 		/* fall through */
 	case HANDSHAKE_EVENT_SETTING_KEYS_FAILED:
+		sta->sm = NULL;
 		ap_remove_sta(sta);
 	default:
 		break;
@@ -425,6 +431,7 @@ static void ap_associate_sta_cb(struct l_genl_msg *msg, void *user_data)
 	sta->sm = eapol_sm_new(sta->hs);
 	if (!sta->sm) {
 		handshake_state_free(sta->hs);
+		sta->hs = NULL;
 		l_error("could not create sm object");
 		goto error;
 	}