[PATCH 2/2] wpa_supplicant: fix memory leaks and wrong memory access

Ilan Peer ilan.peer at intel.com
Tue Jan 28 02:32:35 EST 2014


From: Eytan Lifshitz <eytan.lifshitz at intel.com>

1. In wpa_config_process_bgscan() fix memory leak after
   calling wpa_config_parse_string()
2. In hostapd_config_defaults(), on failure to allocate bss->radius,
   conf->bss was not freed.
3. In p2p_deauth_nofif(), memory allocated in p2p_parse_ies() was not
   freed in case of NULL minor_reason_code.
4. In p2p_disassoc_nofif(), memory allocated in p2p_parse_ies() was not
   freed in case of NULL minor_reason_code.
5. In p2p_process_go_neg_conf(), memory allocated was not freed in case
   that the P2P Device interface was no waiting for a GoN confirm.
6. In wpa_set_pkcs11_engine_and_module_path(), the wrong pointer was checked.

Signed-hostap: Eytan Lifshitz <eytan.lifshitz at intel.com>
---
 src/ap/ap_config.c              |    1 +
 src/p2p/p2p.c                   |    8 ++++++--
 src/p2p/p2p_go_neg.c            |    1 +
 wpa_supplicant/config.c         |    5 ++++-
 wpa_supplicant/wpa_supplicant.c |    2 +-
 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 79ab4ba..368b202 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -140,6 +140,7 @@ struct hostapd_config * hostapd_config_defaults(void)
 
 	bss->radius = os_zalloc(sizeof(*bss->radius));
 	if (bss->radius == NULL) {
+		os_free(conf->bss);
 		os_free(conf);
 		os_free(bss);
 		return NULL;
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index ca347e7..957dee5 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -3862,8 +3862,10 @@ void p2p_deauth_notif(struct p2p_data *p2p, const u8 *bssid, u16 reason_code,
 	os_memset(&msg, 0, sizeof(msg));
 	if (p2p_parse_ies(ie, ie_len, &msg))
 		return;
-	if (msg.minor_reason_code == NULL)
+	if (msg.minor_reason_code == NULL) {
+		p2p_parse_free(&msg);
 		return;
+	}
 
 	p2p_dbg(p2p, "Deauthentication notification BSSID " MACSTR
 		" reason_code=%u minor_reason_code=%u",
@@ -3884,8 +3886,10 @@ void p2p_disassoc_notif(struct p2p_data *p2p, const u8 *bssid, u16 reason_code,
 	os_memset(&msg, 0, sizeof(msg));
 	if (p2p_parse_ies(ie, ie_len, &msg))
 		return;
-	if (msg.minor_reason_code == NULL)
+	if (msg.minor_reason_code == NULL) {
+		p2p_parse_free(&msg);
 		return;
+	}
 
 	p2p_dbg(p2p, "Disassociation notification BSSID " MACSTR
 		" reason_code=%u minor_reason_code=%u",
diff --git a/src/p2p/p2p_go_neg.c b/src/p2p/p2p_go_neg.c
index 76436f5..e28f93e 100644
--- a/src/p2p/p2p_go_neg.c
+++ b/src/p2p/p2p_go_neg.c
@@ -1136,6 +1136,7 @@ void p2p_process_go_neg_conf(struct p2p_data *p2p, const u8 *sa,
 
 	if (!(dev->flags & P2P_DEV_WAIT_GO_NEG_CONFIRM)) {
 		p2p_dbg(p2p, "Was not expecting GO Negotiation Confirm - ignore");
+		p2p_parse_free(&msg);
 		return;
 	}
 	dev->flags &= ~P2P_DEV_WAIT_GO_NEG_CONFIRM;
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b43a72a..2dd7054 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2912,6 +2912,7 @@ static int wpa_config_process_bgscan(const struct global_parse_data *data,
 {
 	size_t len;
 	char *tmp;
+	int res;
 
 	tmp = wpa_config_parse_string(pos, &len);
 	if (tmp == NULL) {
@@ -2920,7 +2921,9 @@ static int wpa_config_process_bgscan(const struct global_parse_data *data,
 		return -1;
 	}
 
-	return wpa_global_config_parse_str(data, config, line, tmp);
+	res = wpa_global_config_parse_str(data, config, line, tmp);
+	os_free(tmp);
+	return res;
 }
 
 
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 35f5693..455b158 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2083,7 +2083,7 @@ int wpas_set_pkcs11_engine_and_module_path(struct wpa_supplicant *wpa_s,
 	}
 	if (pkcs11_module_path != NULL) {
 		pkcs11_module_path_copy = os_strdup(pkcs11_module_path);
-		if (pkcs11_engine_path_copy == NULL) {
+		if (pkcs11_module_path_copy == NULL) {
 			os_free(pkcs11_engine_path_copy);
 			return -1;
 		}
-- 
1.7.10.4



More information about the HostAP mailing list