[PATCH 4/8] mka: Check for errors on create Secure Channel

Andrey Kartashev <a.s.kartashev@xxxxxxxxx> · Fri, 2 Nov 2018 19:02:16 +0100

From: Andrey Kartashev <andrey.kartashev@xxxxxxxxxxxxx>

It is possible that driver fails to create Secure Channel (due to
hardware limitations for example).
This patch adds check of create_*_sc result code and breaks procedure in
case of fail.
Also this patch fix minor memory leak in ieee802_1x_kay_create_mka() in
case of derive KEK/ICK fail.

Signed-off-by: Andrey Kartashev <andrey.kartashev@xxxxxxxxxxxxx>
---
 src/pae/ieee802_1x_kay.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index e508b38de..6703531e4 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -601,9 +601,14 @@ ieee802_1x_kay_create_live_peer(struct ieee802_1x_mka_participant *participant,
 		return NULL;
 	}
 
+	if (secy_create_receive_sc(participant->kay, rxsc))
+	{
+		os_free(rxsc);
+		os_free(peer);
+		return NULL;
+	}
 	dl_list_add(&participant->live_peers, &peer->list);
 	dl_list_add(&participant->rxsc_list, &rxsc->list);
-	secy_create_receive_sc(participant->kay, rxsc);
 
 	wpa_printf(MSG_DEBUG, "KaY: Live peer created");
 	ieee802_1x_kay_dump_peer(peer);
@@ -661,10 +666,16 @@ ieee802_1x_kay_move_live_peer(struct ieee802_1x_mka_participant *participant,
 	ieee802_1x_kay_dump_peer(peer);
 
 	dl_list_del(&peer->list);
+	if (secy_create_receive_sc(participant->kay, rxsc))
+	{
+		wpa_printf(MSG_ERROR, "KaY: Can't create SC, discard peer");
+		os_free(rxsc);
+		os_free(peer);
+		return NULL;
+	}
 	dl_list_add_tail(&participant->live_peers, &peer->list);
 
 	dl_list_add(&participant->rxsc_list, &rxsc->list);
-	secy_create_receive_sc(participant->kay, rxsc);
 
 	return peer;
 }
@@ -3381,7 +3392,8 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
 	secy_cp_control_protect_frames(kay, kay->macsec_protect);
 	secy_cp_control_replay(kay, kay->macsec_replay_protect,
 			       kay->macsec_replay_window);
-	secy_create_transmit_sc(kay, participant->txsc);
+	if (secy_create_transmit_sc(kay, participant->txsc))
+		goto fail;
 
 	/* to derive KEK from CAK and CKN */
 	participant->kek.len = mka_alg_tbl[kay->mka_algindex].kek_len;
@@ -3429,6 +3441,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
 	return participant;
 
 fail:
+	os_free(participant->txsc);
 	os_free(participant);
 	return NULL;
 }
-- 
2.17.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap






