path: root/src/eap_peer/eap_sim.c
diff options
authorJouni Malinen <j@w1.fi>2014-05-11 14:54:59 (GMT)
committerJouni Malinen <j@w1.fi>2014-05-11 14:57:28 (GMT)
commit04cad507e1521682a2d138217c3afd0b4ddcada5 (patch)
treeb1cd0aeb01f9d6a53c1166f256d8ea772efd717e /src/eap_peer/eap_sim.c
parent32dca985c7320dc65699c993254d408e73ca874f (diff)
EAP-SIM peer: Fix counter-too-small message building
The extra data (nonce_s) used in this message was pointing to the parsed, decrypted data and that buffer was previously freed just before building the new message. This resulted in use of freed data and possibly incorrect extra data value that caused the authentication attempt to fail. Fix this by reordering the code to free the decrypted data only after the new message has been generated. This was already the case for EAP-AKA/AKA', but somehow missing from EAP-SIM. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_peer/eap_sim.c')
1 files changed, 6 insertions, 1 deletions
diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c
index d856054..fc9df96 100644
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@@ -952,9 +952,11 @@ static struct wpabuf * eap_sim_process_reauthentication(
if (eattr.counter < 0 || (size_t) eattr.counter <= data->counter) {
+ struct wpabuf *res;
wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid counter "
"(%d <= %d)", eattr.counter, data->counter);
data->counter_too_small = eattr.counter;
/* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current
* reauth_id must not be used to start a new reauthentication.
* However, since it was used in the last EAP-Response-Identity
@@ -965,8 +967,11 @@ static struct wpabuf * eap_sim_process_reauthentication(
data->last_eap_identity_len = data->reauth_id_len;
data->reauth_id = NULL;
data->reauth_id_len = 0;
+ res = eap_sim_response_reauth(data, id, 1, eattr.nonce_s);
- return eap_sim_response_reauth(data, id, 1, eattr.nonce_s);
+ return res;
data->counter = eattr.counter;