mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 18:28:23 -05:00
TDLS: Fix error path handling for TPK M1 send failures
Local allocation error or failure to get a random number could have resulted in the peer entry getting freed and couple of the error path cases in callers could have tried to reference or delete the peer after that. Fix this by tracking the errors where the peer is freed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
3d490296bc
commit
a86078c876
@ -1155,7 +1155,7 @@ skip_rsnie:
|
|||||||
rbuf = os_zalloc(buf_len + 1);
|
rbuf = os_zalloc(buf_len + 1);
|
||||||
if (rbuf == NULL) {
|
if (rbuf == NULL) {
|
||||||
wpa_tdls_peer_free(sm, peer);
|
wpa_tdls_peer_free(sm, peer);
|
||||||
return -1;
|
return -2;
|
||||||
}
|
}
|
||||||
pos = rbuf;
|
pos = rbuf;
|
||||||
|
|
||||||
@ -1174,7 +1174,7 @@ skip_rsnie:
|
|||||||
"TDLS: Failed to get random data for initiator Nonce");
|
"TDLS: Failed to get random data for initiator Nonce");
|
||||||
os_free(rbuf);
|
os_free(rbuf);
|
||||||
wpa_tdls_peer_free(sm, peer);
|
wpa_tdls_peer_free(sm, peer);
|
||||||
return -1;
|
return -2;
|
||||||
}
|
}
|
||||||
peer->tk_set = 0; /* A new nonce results in a new TK */
|
peer->tk_set = 0; /* A new nonce results in a new TK */
|
||||||
wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
|
wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
|
||||||
@ -1926,7 +1926,8 @@ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
|
|||||||
peer->initiator = 1;
|
peer->initiator = 1;
|
||||||
wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
|
wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
|
||||||
NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0);
|
NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0);
|
||||||
wpa_tdls_send_tpk_m1(sm, peer);
|
if (wpa_tdls_send_tpk_m1(sm, peer) == -2)
|
||||||
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
|
if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
|
||||||
@ -2654,6 +2655,7 @@ int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
|
|||||||
{
|
{
|
||||||
struct wpa_tdls_peer *peer;
|
struct wpa_tdls_peer *peer;
|
||||||
int tdls_prohibited = sm->tdls_prohibited;
|
int tdls_prohibited = sm->tdls_prohibited;
|
||||||
|
int res;
|
||||||
|
|
||||||
if (sm->tdls_disabled || !sm->tdls_supported)
|
if (sm->tdls_disabled || !sm->tdls_supported)
|
||||||
return -1;
|
return -1;
|
||||||
@ -2693,7 +2695,9 @@ int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
|
|||||||
|
|
||||||
peer->tpk_in_progress = 1;
|
peer->tpk_in_progress = 1;
|
||||||
|
|
||||||
if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
|
res = wpa_tdls_send_tpk_m1(sm, peer);
|
||||||
|
if (res < 0) {
|
||||||
|
if (res != -2)
|
||||||
wpa_tdls_disable_peer_link(sm, peer);
|
wpa_tdls_disable_peer_link(sm, peer);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user