EAP-pwd: Fix memory leak on error path with fragmentation

If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index fef4783..9eb058e 100644 (file)
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -161,6 +161,8 @@ static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
                BN_free(data->grp->prime);
                os_free(data->grp);
        }
+       wpabuf_free(data->inbuf);
+       wpabuf_free(data->outbuf);
        os_free(data);
 }
 
@@ -773,6 +775,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
                                   (int) data->in_frag_pos,
                                   (int) wpabuf_len(data->inbuf));
                        wpabuf_free(data->inbuf);
+                       data->inbuf = NULL;
                        data->in_frag_pos = 0;
                        return NULL;
                }
@@ -824,6 +827,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
         */
        if (data->in_frag_pos) {
                wpabuf_free(data->inbuf);
+               data->inbuf = NULL;
                data->in_frag_pos = 0;
        }
 

diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index b61061b..3467dd1 100644 (file)
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -150,6 +150,8 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
                BN_free(data->grp->prime);
                os_free(data->grp);
        }
+       wpabuf_free(data->inbuf);
+       wpabuf_free(data->outbuf);
        os_free(data);
 }
 
@@ -523,6 +525,7 @@ eap_pwd_build_req(struct eap_sm *sm, void *priv, u8 id)
         */
        if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {
                wpabuf_free(data->outbuf);
+               data->outbuf = NULL;
                data->out_frag_pos = 0;
        }
 
@@ -949,6 +952,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
         */
        if (data->in_frag_pos) {
                wpabuf_free(data->inbuf);
+               data->inbuf = NULL;
                data->in_frag_pos = 0;
        }
 }