aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_peer/eap_pwd.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-11-01 17:35:44 (GMT)
committerJouni Malinen <j@w1.fi>2015-11-10 16:40:54 (GMT)
commit95577884ca4fa76be91344ff7a8d5d1e6dc3da61 (patch)
treec8bcf69ffd9dfa0b1a517efc6390c8e04f153d11 /src/eap_peer/eap_pwd.c
parentbef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa (diff)
downloadhostap-95577884ca4fa76be91344ff7a8d5d1e6dc3da61.zip
hostap-95577884ca4fa76be91344ff7a8d5d1e6dc3da61.tar.gz
hostap-95577884ca4fa76be91344ff7a8d5d1e6dc3da61.tar.bz2
EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity exchange has been completed, the group has not yet been determined and data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange() did not take this corner case into account and could end up dereferencing a NULL pointer and terminating the process if invalid message sequence is received. (CVE-2015-5316) Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_peer/eap_pwd.c')
-rw-r--r--src/eap_peer/eap_pwd.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 75ceef1..892b590 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
fin:
- bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
+ if (data->grp)
+ bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
BN_clear_free(x);
BN_clear_free(y);
if (data->outbuf == NULL) {