aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMasashi Honma <honma@ictec.co.jp>2009-03-16 19:01:07 (GMT)
committerJouni Malinen <j@w1.fi>2009-03-16 19:01:07 (GMT)
commit294379967825d4c8222e08f2fbed33d43d3aefa3 (patch)
tree65125599fbcd9117c35c5bad91007c57c28855b9
parentc590cb67d47f4eee01fcc080c91101ec15e604c3 (diff)
downloadhostap-294379967825d4c8222e08f2fbed33d43d3aefa3.zip
hostap-294379967825d4c8222e08f2fbed33d43d3aefa3.tar.gz
hostap-294379967825d4c8222e08f2fbed33d43d3aefa3.tar.bz2
TNC: Fix a stray pointer that could cause segfault on error path
On "eap_tnc_process" function error case, data->in_buf keeps reference to a local scope variable. For example this will cause segmentation fault in "eap_tnc_deinit" function "wpabuf_free(data->in_buf)" statement.
-rw-r--r--src/eap_peer/eap_tnc.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/src/eap_peer/eap_tnc.c b/src/eap_peer/eap_tnc.c
index 0a3a01c..c560015 100644
--- a/src/eap_peer/eap_tnc.c
+++ b/src/eap_peer/eap_tnc.c
@@ -295,7 +295,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
wpa_printf(MSG_DEBUG, "EAP-TNC: Server did not use "
"start flag in the first message");
ret->ignore = TRUE;
- return NULL;
+ goto fail;
}
tncc_init_connection(data->tncc);
@@ -308,7 +308,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
wpa_printf(MSG_DEBUG, "EAP-TNC: Server used start "
"flag again");
ret->ignore = TRUE;
- return NULL;
+ goto fail;
}
res = tncc_process_if_tnccs(data->tncc,
@@ -317,7 +317,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
switch (res) {
case TNCCS_PROCESS_ERROR:
ret->ignore = TRUE;
- return NULL;
+ goto fail;
case TNCCS_PROCESS_OK_NO_RECOMMENDATION:
case TNCCS_RECOMMENDATION_ERROR:
wpa_printf(MSG_DEBUG, "EAP-TNC: No "
@@ -404,6 +404,11 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
data->out_buf = resp;
data->state = PROC_MSG;
return eap_tnc_build_msg(data, ret, id);
+
+fail:
+ if (data->in_buf == &tmpbuf)
+ data->in_buf = NULL;
+ return NULL;
}