Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-17 17:43:06 -05:00
Code Issues Projects Releases Wiki Activity

PMKSA: Fix use-after-free in pmksa_cache_clone_entry()

Browse Source 
pmksa_cache_add_entry() may actually free old_entry if the PMKSA cache
is full. This can result in the PMKSA cache containing entries with
corrupt expiration times.

Signed-off-by: Andrew Elble <aweits@rit.edu>
This commit is contained in:
Andrew Elble 2017-09-07 21:42:02 -04:00 committed by Jouni Malinen
parent 504c7ffd69
commit 155bf11088
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/rsn_supp/pmksa_cache.c
View File

@ -367,6 +367,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
const u8 *aa) const u8 *aa)
{ {
struct rsn_pmksa_cache_entry *new_entry; struct rsn_pmksa_cache_entry *new_entry;
os_time_t old_expiration = old_entry->expiration;
new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len, new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
NULL, NULL, 0, NULL, NULL, 0,
@ -378,7 +379,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
return NULL; return NULL;
/* TODO: reorder entries based on expiration time? */ /* TODO: reorder entries based on expiration time? */
new_entry->expiration = old_entry->expiration; new_entry->expiration = old_expiration;
new_entry->opportunistic = 1; new_entry->opportunistic = 1;
return new_entry; return new_entry;