ap: eapol_sm lifecycle fixes
On one hand when we're called with HANDSHAKE_EVENT_FAILED or HANDSHAKE_EVENT_SETTING_KEYS_FAILED the eapol_sm will be freed in eapol.c, fix a double-free by setting it to NULL before ap_free_sta is called. On the other hand make sure we call eapol_sm_free before setting sta->sm to NULL in ap_drop_rsna to avoid potential leak and avoid the eapol_sm continuing to use the handshake_state we freed.
This commit is contained in:
Andrew Zaborowski
Denis Kenzior
parent
c0a70cc9b7
commit
f460a7e12c
9
src/ap.c
9
src/ap.c
|
|
@ -229,7 +229,12 @@ static void ap_drop_rsna(struct sta_state *sta)
|
||||||
l_error("Issuing DEL_KEY failed");
|
l_error("Issuing DEL_KEY failed");
|
||||||
}
|
}
|
||||||
|
|
||||||
handshake_state_free(sta->hs);
|
if (sta->sm)
|
||||||
|
eapol_sm_free(sta->sm);
|
||||||
|
|
||||||
|
if (sta->hs)
|
||||||
|
handshake_state_free(sta->hs);
|
||||||
|
|
||||||
sta->hs = NULL;
|
sta->hs = NULL;
|
||||||
sta->sm = NULL;
|
sta->sm = NULL;
|
||||||
}
|
}
|
||||||
|
|
@ -370,6 +375,7 @@ static void ap_handshake_event(struct handshake_state *hs,
|
||||||
netdev_handshake_failed(hs, l_get_u16(event_data));
|
netdev_handshake_failed(hs, l_get_u16(event_data));
|
||||||
/* fall through */
|
/* fall through */
|
||||||
case HANDSHAKE_EVENT_SETTING_KEYS_FAILED:
|
case HANDSHAKE_EVENT_SETTING_KEYS_FAILED:
|
||||||
|
sta->sm = NULL;
|
||||||
ap_remove_sta(sta);
|
ap_remove_sta(sta);
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
|
|
@ -425,6 +431,7 @@ static void ap_associate_sta_cb(struct l_genl_msg *msg, void *user_data)
|
||||||
sta->sm = eapol_sm_new(sta->hs);
|
sta->sm = eapol_sm_new(sta->hs);
|
||||||
if (!sta->sm) {
|
if (!sta->sm) {
|
||||||
handshake_state_free(sta->hs);
|
handshake_state_free(sta->hs);
|
||||||
|
sta->hs = NULL;
|
||||||
l_error("could not create sm object");
|
l_error("could not create sm object");
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue