diff options
| author | Andrew Elble <aweits@rit.edu> | 2017-09-07 21:42:02 -0400 |
|---|---|---|
| committer | Rashed Abdel-Tawab <rashedabdeltawab@gmail.com> | 2018-02-07 01:30:51 +0000 |
| commit | 55f469ac1a07c8f134de1c5a8b04b7513c928b64 (patch) | |
| tree | 311414d23ca5963a14a475b32b0587463508c7c2 | |
| parent | ac7891721bd6f9be777d9db74d4ff2768cfa49a2 (diff) | |
| download | android_external_wpa_supplicant_8-55f469ac1a07c8f134de1c5a8b04b7513c928b64.tar.gz android_external_wpa_supplicant_8-55f469ac1a07c8f134de1c5a8b04b7513c928b64.tar.bz2 android_external_wpa_supplicant_8-55f469ac1a07c8f134de1c5a8b04b7513c928b64.zip | |
PMKSA: Fix use-after-free in pmksa_cache_clone_entry()
pmksa_cache_add_entry() may actually free old_entry if the PMKSA cache
is full. This can result in the PMKSA cache containing entries with
corrupt expiration times.
Change-Id: Ibfc5d285eb4ae8efe4ccdf29f34e484485604778
Signed-off-by: Andrew Elble <aweits@rit.edu>
| -rw-r--r-- | src/rsn_supp/pmksa_cache.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c index 3d8d1222..67947c55 100644 --- a/src/rsn_supp/pmksa_cache.c +++ b/src/rsn_supp/pmksa_cache.c @@ -345,6 +345,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, const u8 *aa) { struct rsn_pmksa_cache_entry *new_entry; + os_time_t old_expiration = old_entry->expiration; new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len, NULL, NULL, 0, @@ -354,7 +355,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, return NULL; /* TODO: reorder entries based on expiration time? */ - new_entry->expiration = old_entry->expiration; + new_entry->expiration = old_expiration; new_entry->opportunistic = 1; return new_entry; |