RADIUS server: Fix error paths in new session creation

radius_server_session_free() does not remove the session from the
session list and these radius_server_get_new_session() error paths ended
up leaving a pointer to freed memory into the session list. This
resulted in the following operations failing due to use of freed memory.

Fix this by using radius_server_session_remove() which removes the entry
from the list in addition to calling radius_server_session_free().

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2017-03-05 16:16:42 +02:00
parent a47f214e3f
commit de01f254a6

View File

@ -662,14 +662,14 @@ radius_server_get_new_session(struct radius_server_data *data,
sess->username = os_malloc(user_len * 4 + 1);
if (sess->username == NULL) {
radius_server_session_free(data, sess);
radius_server_session_remove(data, sess);
return NULL;
}
printf_encode(sess->username, user_len * 4 + 1, user, user_len);
sess->nas_ip = os_strdup(from_addr);
if (sess->nas_ip == NULL) {
radius_server_session_free(data, sess);
radius_server_session_remove(data, sess);
return NULL;
}
@ -702,7 +702,7 @@ radius_server_get_new_session(struct radius_server_data *data,
if (sess->eap == NULL) {
RADIUS_DEBUG("Failed to initialize EAP state machine for the "
"new session");
radius_server_session_free(data, sess);
radius_server_session_remove(data, sess);
return NULL;
}
sess->eap_if = eap_get_interface(sess->eap);