[PATCH 1/5] wpa_supplicant: fix possible memory leak in handle_auth()

Peer, Ilan ilan.peer at intel.com
Tue Jun 30 06:52:18 EDT 2015



> -----Original Message-----
> From: Jouni Malinen [mailto:j at w1.fi]
> Sent: Monday, June 29, 2015 20:35
> To: Peer, Ilan
> Cc: Eytan Lifshitz; hostap at lists.shmoo.com
> Subject: Re: [PATCH 1/5] wpa_supplicant: fix possible memory leak in
> handle_auth()
> 
> On Sun, Jun 21, 2015 at 01:09:39PM +0000, Peer, Ilan wrote:
> > This is the tool's traceback:
> >
> > ieee802_11.c:962: Dynamic memory stored in 'identity' is allocated by
> calling function 'hostapd_allowed_address'.
> > ieee802_11_auth.c#1:271: '*identity' is allocated by function
> 'hostapd_acl_cache_get'.
> > ieee802_11_auth.c#1:128: entry->identity is true
> > ieee802_11_auth.c#1:129: '*identity' is allocated by function 'strdup'.
> 
> This code path returns entry->accepted on line 139. The only values assigned
> to entry->accepted are HOSTAPD_ACL_ACCEPT_TIMEOUT,
> HOSTAPD_ACL_ACCEPT, and HOSTAPD_ACL_REJECT.
> 
> > ieee802_11.c:980: Dynamic memory stored in 'identity' is lost.
> 
> This is within "if (res == HOSTAPD_ACL_PENDING)" and since
> entry->accepted in ieee802_11_auth.c:139 cannot have that value, this
> code path does not look possible (nor does this look reasonable as far as
> generic functionality is concerned since HOSTAPD_ACL_PENDING indicates
> that the Access-Accept with the 'identity' value has not yet been received).
> 
> --

Thanks. Please drop this one.

Ilan.


More information about the HostAP mailing list