Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 08:48:31 -05:00
Code Issues Projects Releases Wiki Activity

mka: Fix use-after-free when receive secure channels are deleted

Browse Source 
ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data,
but secy_delete_receive_sc() still needs it. Since these two functions
are always called sequentially, secy_delete_receive_sc() can be called
from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed.

Fixes: 128f6a98b3 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
This commit is contained in:
Davide Caratti 2017-03-16 14:01:54 +01:00 committed by Jouni Malinen
parent faf0fef1dc
commit 529d6ed726
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/pae/ieee802_1x_kay.c
View File

@ -532,6 +532,7 @@ ieee802_1x_kay_deinit_receive_sc(
ieee802_1x_delete_receive_sa(participant->kay, psa); ieee802_1x_delete_receive_sa(participant->kay, psa);
dl_list_del(&psc->list); dl_list_del(&psc->list);
secy_delete_receive_sc(participant->kay, psc);
os_free(psc); os_free(psc);
} }
@ -2363,7 +2364,6 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
if (sci_equal(&rxsc->sci, &peer->sci)) { if (sci_equal(&rxsc->sci, &peer->sci)) {
ieee802_1x_kay_deinit_receive_sc( ieee802_1x_kay_deinit_receive_sc(
participant, rxsc); participant, rxsc);
secy_delete_receive_sc(kay, rxsc);
} }
} }
dl_list_del(&peer->list); dl_list_del(&peer->list);
@ -3433,7 +3433,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
rxsc = dl_list_entry(participant->rxsc_list.next, rxsc = dl_list_entry(participant->rxsc_list.next,
struct receive_sc, list); struct receive_sc, list);
ieee802_1x_kay_deinit_receive_sc(participant, rxsc); ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
secy_delete_receive_sc(kay, rxsc);
} }
ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc); ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
secy_delete_transmit_sc(kay, participant->txsc); secy_delete_transmit_sc(kay, participant->txsc);