aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-05-08 16:59:21 (GMT)
committerJouni Malinen <j@w1.fi>2019-05-08 16:59:21 (GMT)
commit1cdfe8d23f9feb9523daad286b473fe010105977 (patch)
tree337a42d391bfc5e08748e3b31de55d64aba11312
parent51dc146f3e0f49e1e0f91339e92e901ff652a30f (diff)
downloadhostap-1cdfe8d23f9feb9523daad286b473fe010105977.zip
hostap-1cdfe8d23f9feb9523daad286b473fe010105977.tar.gz
hostap-1cdfe8d23f9feb9523daad286b473fe010105977.tar.bz2
DPP: Fix a memory leak in PKEX Qi/Qr derivation
The result of EC_GROUP_dup() needs to be freed, so do so within the derivation functions for all error cases and in the callers for success cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/common/dpp.c21
1 files changed, 14 insertions, 7 deletions
diff --git a/src/common/dpp.c b/src/common/dpp.c
index 614f82d..fd2e9f4 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -6634,7 +6634,7 @@ static EVP_PKEY * dpp_pkex_get_role_elem(const struct dpp_curve_params *curve,
static EC_POINT * dpp_pkex_derive_Qi(const struct dpp_curve_params *curve,
const u8 *mac_init, const char *code,
const char *identifier, BN_CTX *bnctx,
- const EC_GROUP **ret_group)
+ EC_GROUP **ret_group)
{
u8 hash[DPP_MAX_HASH_LEN];
const u8 *addr[3];
@@ -6703,8 +6703,10 @@ out:
EC_KEY_free(Pi_ec);
EVP_PKEY_free(Pi);
BN_clear_free(hash_bn);
- if (ret_group)
+ if (ret_group && Qi)
*ret_group = group2;
+ else
+ EC_GROUP_free(group2);
return Qi;
fail:
EC_POINT_free(Qi);
@@ -6716,7 +6718,7 @@ fail:
static EC_POINT * dpp_pkex_derive_Qr(const struct dpp_curve_params *curve,
const u8 *mac_resp, const char *code,
const char *identifier, BN_CTX *bnctx,
- const EC_GROUP **ret_group)
+ EC_GROUP **ret_group)
{
u8 hash[DPP_MAX_HASH_LEN];
const u8 *addr[3];
@@ -6785,8 +6787,10 @@ out:
EC_KEY_free(Pr_ec);
EVP_PKEY_free(Pr);
BN_clear_free(hash_bn);
- if (ret_group)
+ if (ret_group && Qr)
*ret_group = group2;
+ else
+ EC_GROUP_free(group2);
return Qr;
fail:
EC_POINT_free(Qr);
@@ -6867,7 +6871,7 @@ static struct wpabuf * dpp_pkex_build_exchange_req(struct dpp_pkex *pkex)
EC_KEY *X_ec = NULL;
const EC_POINT *X_point;
BN_CTX *bnctx = NULL;
- const EC_GROUP *group;
+ EC_GROUP *group = NULL;
EC_POINT *Qi = NULL, *M = NULL;
struct wpabuf *M_buf = NULL;
BIGNUM *Mx = NULL, *My = NULL;
@@ -6989,6 +6993,7 @@ out:
BN_clear_free(Mx);
BN_clear_free(My);
BN_CTX_free(bnctx);
+ EC_GROUP_free(group);
return msg;
fail:
wpa_printf(MSG_INFO, "DPP: Failed to build PKEX Exchange Request");
@@ -7233,7 +7238,7 @@ struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
struct dpp_pkex *pkex = NULL;
EC_POINT *Qi = NULL, *Qr = NULL, *M = NULL, *X = NULL, *N = NULL;
BN_CTX *bnctx = NULL;
- const EC_GROUP *group;
+ EC_GROUP *group = NULL;
BIGNUM *Mx = NULL, *My = NULL;
EC_KEY *Y_ec = NULL, *X_ec = NULL;;
const EC_POINT *Y_point;
@@ -7450,6 +7455,7 @@ out:
EC_POINT_free(X);
EC_KEY_free(X_ec);
EC_KEY_free(Y_ec);
+ EC_GROUP_free(group);
return pkex;
fail:
wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Request processing failed");
@@ -7578,7 +7584,7 @@ struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex,
{
const u8 *attr_status, *attr_id, *attr_key, *attr_group;
u16 attr_status_len, attr_id_len, attr_key_len, attr_group_len;
- const EC_GROUP *group;
+ EC_GROUP *group = NULL;
BN_CTX *bnctx = NULL;
struct wpabuf *msg = NULL, *A_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
const struct dpp_curve_params *curve = pkex->own_bi->curve;
@@ -7775,6 +7781,7 @@ out:
EC_KEY_free(Y_ec);
EVP_PKEY_CTX_free(ctx);
BN_CTX_free(bnctx);
+ EC_GROUP_free(group);
return msg;
fail:
wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Response processing failed");