42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
|
From e50df5d2a265a462b0efc056d360649608f160bf Mon Sep 17 00:00:00 2001
|
||
|
Message-Id: <e50df5d2a265a462b0efc056d360649608f160bf.1491928635.git.davide.caratti@gmail.com>
|
||
|
From: Davide Caratti <davide.caratti@gmail.com>
|
||
|
Date: Thu, 16 Mar 2017 14:01:55 +0100
|
||
|
Subject: [PATCH] mka: Fix use-after-free when transmit secure channels are
|
||
|
deleted
|
||
|
|
||
|
ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
|
||
|
data, but secy_delete_transmit_sc() still needs it. Since this functions
|
||
|
are called sequentially, secy_delete_transmit_sc() can be called from
|
||
|
ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.
|
||
|
|
||
|
Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
|
||
|
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
|
||
|
---
|
||
|
src/pae/ieee802_1x_kay.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
|
||
|
index 31905ed..1d4ed89 100644
|
||
|
--- a/src/pae/ieee802_1x_kay.c
|
||
|
+++ b/src/pae/ieee802_1x_kay.c
|
||
|
@@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc(
|
||
|
dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
|
||
|
ieee802_1x_delete_transmit_sa(participant->kay, psa);
|
||
|
|
||
|
+ secy_delete_transmit_sc(participant->kay, psc);
|
||
|
os_free(psc);
|
||
|
}
|
||
|
|
||
|
@@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
|
||
|
ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
|
||
|
}
|
||
|
ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
|
||
|
- secy_delete_transmit_sc(kay, participant->txsc);
|
||
|
|
||
|
os_memset(&participant->cak, 0, sizeof(participant->cak));
|
||
|
os_memset(&participant->kek, 0, sizeof(participant->kek));
|
||
|
--
|
||
|
2.7.4
|
||
|
|