diff options
author | Jouni Malinen <j@w1.fi> | 2012-06-30 16:16:32 +0300 |
---|---|---|
committer | Jouni Malinen <j@w1.fi> | 2012-06-30 16:16:32 +0300 |
commit | 8350d0afd8f5a93c39c2569bd78b8f5c92f85348 (patch) | |
tree | a3485c78951b3e73aae0b20ea5face2d565ef7d8 /src/eap_peer/eap_pwd.c | |
parent | 0f27f15911c4ed68e757f3af9f65f7696a321876 (diff) | |
download | external_wpa_supplicant_8_ti-8350d0afd8f5a93c39c2569bd78b8f5c92f85348.zip external_wpa_supplicant_8_ti-8350d0afd8f5a93c39c2569bd78b8f5c92f85348.tar.gz external_wpa_supplicant_8_ti-8350d0afd8f5a93c39c2569bd78b8f5c92f85348.tar.bz2 |
EAP-pwd: Avoid double-frees on some error paths
At least some error paths (e.g., hitting the limit on hunt-and-peck
iterations) could have resulted in double-freeing of some memory
allocations. Avoid this by setting the pointers to NULL after they have
been freed instead of trying to free the data structure in a location
where some external references cannot be cleared. [Bug 453]
Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_peer/eap_pwd.c')
-rw-r--r-- | src/eap_peer/eap_pwd.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index 37e9234..a5caf54 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -725,6 +725,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, */ if (data->out_frag_pos >= wpabuf_len(data->outbuf)) { wpabuf_free(data->outbuf); + data->outbuf = NULL; data->out_frag_pos = 0; } wpa_printf(MSG_DEBUG, "EAP-pwd: Send %s fragment of %d bytes", @@ -856,8 +857,11 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, /* * if we're not fragmenting then there's no need to carry this around */ - if (data->out_frag_pos == 0) + if (data->out_frag_pos == 0) { wpabuf_free(data->outbuf); + data->outbuf = NULL; + data->out_frag_pos = 0; + } return resp; } |