[PATCH 5/5] WPS: Fix possible memory leak in wps_er_config_token_from_cred()

Jouni Malinen j at w1.fi
Mon Jun 29 13:41:44 EDT 2015


On Sun, Jun 21, 2015 at 01:56:45PM +0000, Peer, Ilan wrote:
> > > In wps_er_config_token_from_cred() data.new_pak memory is allocated in
> > > wps_build_cred() and the function returns before the memroy is released.
> > 
> > > diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c @@ -2039,10 +2039,12
> > > @@ struct wpabuf * wps_er_config_token_from_cred(struct wps_context
> > *wps,
> > >  	data.use_cred = cred;
> > >  	if (wps_build_cred(&data, ret) ||
> > >  	    wps_build_wfa_ext(ret, 0, NULL, 0)) {
> > > +		os_free(data.new_psk);

> This is the traceback from the tool:
> 
> wps_er.c:2040: Dynamic memory stored in 'data.new_psk' is allocated by calling function 'wps_build_cred'.

wps_er.c:2039 sets data.user_cred to a non-NULL value (neither of the
two callers of wps_er_config_token_from_cred() can use NULL as the cred
argument).

> wps_registrar.c:1686: wps->auth_type& (2|32) is true

this is within wps_build_cred() after these steps:

    if (wps->use_cred) {
	os_memcpy(&wps->cred, wps->use_cred, sizeof(wps->cred));
	goto use_provided;
    }

and before the use_provided label. There is no label in the middle
either, so no way to get back to line 1686. In other words, this code
path is not possible.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list