ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
data, but secy_delete_transmit_sc() still needs it. Since this functions
are called sequentially, secy_delete_transmit_sc() can be called from
ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.
Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@xxxxxxxxx>
---
src/pae/ieee802_1x_kay.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 31905ed..1d4ed89 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc(
dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
ieee802_1x_delete_transmit_sa(participant->kay, psa);
+ secy_delete_transmit_sc(participant->kay, psc);
os_free(psc);
}
@@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
}
ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
- secy_delete_transmit_sc(kay, participant->txsc);
os_memset(&participant->cak, 0, sizeof(participant->cak));
os_memset(&participant->kek, 0, sizeof(participant->kek));
--
2.7.4
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
