TDLS: Fix error path handling for TPK M1 send failures

Local allocation error or failure to get a random number could have
resulted in the peer entry getting freed and couple of the error path
cases in callers could have tried to reference or delete the peer after
that. Fix this by tracking the errors where the peer is freed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2020-11-02 17:26:04 +02:00 committed by Jouni Malinen
parent 3d490296bc
commit a86078c876

View File

@ -1155,7 +1155,7 @@ skip_rsnie:
rbuf = os_zalloc(buf_len + 1);
if (rbuf == NULL) {
wpa_tdls_peer_free(sm, peer);
return -1;
return -2;
}
pos = rbuf;
@ -1174,7 +1174,7 @@ skip_rsnie:
"TDLS: Failed to get random data for initiator Nonce");
os_free(rbuf);
wpa_tdls_peer_free(sm, peer);
return -1;
return -2;
}
peer->tk_set = 0; /* A new nonce results in a new TK */
wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
@ -1926,7 +1926,8 @@ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
peer->initiator = 1;
wpa_sm_tdls_peer_addset(sm, peer->addr, 1, 0, 0, NULL, 0, NULL,
NULL, 0, 0, NULL, 0, NULL, 0, NULL, 0);
wpa_tdls_send_tpk_m1(sm, peer);
if (wpa_tdls_send_tpk_m1(sm, peer) == -2)
goto error;
}
if ((tdls_testing & TDLS_TESTING_IGNORE_AP_PROHIBIT) &&
@ -2654,6 +2655,7 @@ int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
{
struct wpa_tdls_peer *peer;
int tdls_prohibited = sm->tdls_prohibited;
int res;
if (sm->tdls_disabled || !sm->tdls_supported)
return -1;
@ -2693,7 +2695,9 @@ int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr)
peer->tpk_in_progress = 1;
if (wpa_tdls_send_tpk_m1(sm, peer) < 0) {
res = wpa_tdls_send_tpk_m1(sm, peer);
if (res < 0) {
if (res != -2)
wpa_tdls_disable_peer_link(sm, peer);
return -1;
}