aboutsummaryrefslogtreecommitdiffstats
path: root/src/rsn_supp
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-12-20 08:52:30 (GMT)
committerJouni Malinen <j@w1.fi>2015-12-20 08:52:30 (GMT)
commitcd5895e8c5aac5620135085af606e698debdbf2a (patch)
tree884c5c7d17e9858fbabb1a596606f62a03cd665a /src/rsn_supp
parenta551da6aae172c53f81867a105399c5db9071aa8 (diff)
downloadhostap-cd5895e8c5aac5620135085af606e698debdbf2a.zip
hostap-cd5895e8c5aac5620135085af606e698debdbf2a.tar.gz
hostap-cd5895e8c5aac5620135085af606e698debdbf2a.tar.bz2
WPA: Explicitly clear the buffer used for decrypting Key Data
When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was decrypted using a temporary heap buffer with aes_unwrap(). That buffer was not explicitly cleared, so it was possible for the group keys to remain in memory unnecessarily until the allocated area was reused. Clean this up by clearing the temporary allocation explicitly before freeing it. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/rsn_supp')
-rw-r--r--src/rsn_supp/wpa.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 9bde3c8..669f658 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1670,14 +1670,14 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
}
if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
key_data, buf)) {
- os_free(buf);
+ bin_clear_free(buf, *key_data_len);
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: AES unwrap failed - "
"could not decrypt EAPOL-Key key data");
return -1;
}
os_memcpy(key_data, buf, *key_data_len);
- os_free(buf);
+ bin_clear_free(buf, *key_data_len);
WPA_PUT_BE16(key->key_data_length, *key_data_len);
} else {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,