[PATCH 1/5] wpa_supplicant: fix possible memory leak in handle_auth()

Jouni Malinen j at w1.fi
Mon Jun 29 13:34:51 EDT 2015


On Sun, Jun 21, 2015 at 01:09:39PM +0000, Peer, Ilan wrote:
> This is the tool's traceback:
> 
> ieee802_11.c:962: Dynamic memory stored in 'identity' is allocated by calling function 'hostapd_allowed_address'.
> ieee802_11_auth.c#1:271: '*identity' is allocated by function 'hostapd_acl_cache_get'.
> ieee802_11_auth.c#1:128: entry->identity is true
> ieee802_11_auth.c#1:129: '*identity' is allocated by function 'strdup'.

This code path returns entry->accepted on line 139. The only values
assigned to entry->accepted are HOSTAPD_ACL_ACCEPT_TIMEOUT,
HOSTAPD_ACL_ACCEPT, and HOSTAPD_ACL_REJECT.

> ieee802_11.c:980: Dynamic memory stored in 'identity' is lost.

This is within "if (res == HOSTAPD_ACL_PENDING)" and since
entry->accepted in ieee802_11_auth.c:139 cannot have that value, this
code path does not look possible (nor does this look reasonable as far
as generic functionality is concerned since HOSTAPD_ACL_PENDING
indicates that the Access-Accept with the 'identity' value has not yet
been received).

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list