in case MKA is initialized successfully, local copies of CAK and CKN are allocated, but never freed: ensure that such memory is released also when ieee802_1x_kay_create_mka() returns a valid pointer. Fixes: ad51731abf06 ("wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA") Signed-off-by: Davide Caratti <davide.caratti@xxxxxxxxx> --- wpa_supplicant/wpas_kay.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index 11708b8a6..d3d06b8ae 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -392,25 +392,25 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s, { struct mka_key *cak; struct mka_key_name *ckn; - void *res; + void *res = NULL; if ((ssid->mka_psk_set & MKA_PSK_SET) != MKA_PSK_SET) - return NULL; - - if (ieee802_1x_alloc_kay_sm(wpa_s, ssid) < 0) - return NULL; - - if (!wpa_s->kay || wpa_s->kay->policy == DO_NOT_SECURE) - return NULL; + goto end; ckn = os_zalloc(sizeof(*ckn)); if (!ckn) - goto dealloc; + goto end; cak = os_zalloc(sizeof(*cak)); if (!cak) goto free_ckn; + if (ieee802_1x_alloc_kay_sm(wpa_s, ssid) < 0 || !wpa_s->kay) + goto free_cak; + + if (wpa_s->kay->policy == DO_NOT_SECURE) + goto dealloc; + cak->len = MACSEC_CAK_LEN; os_memcpy(cak->key, ssid->mka_cak, cak->len); @@ -419,17 +419,15 @@ void * ieee802_1x_create_preshared_mka(struct wpa_supplicant *wpa_s, res = ieee802_1x_kay_create_mka(wpa_s->kay, ckn, cak, 0, PSK, FALSE); if (res) - return res; + goto free_cak; +dealloc: /* Failed to create MKA */ + ieee802_1x_dealloc_kay_sm(wpa_s); +free_cak: os_free(cak); - - /* fallthrough */ - free_ckn: os_free(ckn); -dealloc: - ieee802_1x_dealloc_kay_sm(wpa_s); - - return NULL; +end: + return res; } -- 2.14.3 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap