From 391d922bcfcbb92e78b558fc7892f51c50929ba2 Mon Sep 17 00:00:00 2001 From: Nishant Chaprana <n.chaprana@samsung.com> Date: Tue, 21 Aug 2018 17:07:51 +0530 Subject: [PATCH] EAP-pwd peer: Fix memory leak in eap_pwd_perform_confirm_exchange() hash variable is allocated memory using eap_pwd_h_init(), but there are couple of error case code paths which skips deallocation of hash. The memory of hash is deallocated using eap_pwd_h_final(). Fix this by calling eap_pwd_h_final() at the end of the function if execution got there through one of those error cases. Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com> --- src/eap_peer/eap_pwd.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index 90ac3cf7f..761c16af9 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -696,7 +696,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, const struct wpabuf *reqData, const u8 *payload, size_t payload_len) { - struct crypto_hash *hash; + struct crypto_hash *hash = NULL; u32 cs; u16 grp; u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; @@ -783,6 +783,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, /* random function fin */ eap_pwd_h_final(hash, conf); + hash = NULL; ptr = (u8 *) payload; if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) { @@ -836,6 +837,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, /* all done */ eap_pwd_h_final(hash, conf); + hash = NULL; if (compute_keys(data->grp, data->k, data->my_scalar, data->server_scalar, conf, ptr, @@ -860,6 +862,10 @@ fin: } else { eap_pwd_state(data, SUCCESS_ON_FRAG_COMPLETION); } + + /* clean allocated memory */ + if (hash) + eap_pwd_h_final(hash, conf); }