diff options
| author | Jouni Malinen <j@w1.fi> | 2015-11-01 19:35:44 +0200 |
|---|---|---|
| committer | Abhisek Devkota <ciwrl@cyanogenmod.com> | 2015-11-11 08:35:12 -0800 |
| commit | dfb3c195fabaee607422c579c2c76eaa8f16a34f (patch) | |
| tree | e2eef4f2c549f3eea065ae7791d360f4f463c06c | |
| parent | 7902b1791bbc63de38d71743f7428f969af3b3ed (diff) | |
| download | android_external_wpa_supplicant_8-dfb3c195fabaee607422c579c2c76eaa8f16a34f.tar.gz android_external_wpa_supplicant_8-dfb3c195fabaee607422c579c2c76eaa8f16a34f.tar.bz2 android_external_wpa_supplicant_8-dfb3c195fabaee607422c579c2c76eaa8f16a34f.zip | |
EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received.
CYNGNOS-1299
Change-Id: Ifaa7c76bd0b27fc61f1e3e5b33eb14d281289dcb
Signed-off-by: Jouni Malinen <j@w1.fi>
(cherry picked from commit 6a51515fb0bd5da09e8865c2d9d33e4518437438)
| -rw-r--r-- | src/eap_peer/eap_pwd.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index bc4ddc57..46bd217c 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -713,7 +713,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); fin: - bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); + if (data->grp) + bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); BN_clear_free(x); BN_clear_free(y); if (data->outbuf == NULL) { |