From 529d6ed7262f0015552e3b8f6eed8ea4508d7c1f Mon Sep 17 00:00:00 2001 Message-Id: <529d6ed7262f0015552e3b8f6eed8ea4508d7c1f.1491928737.git.davide.caratti@gmail.com> From: Davide Caratti Date: Thu, 16 Mar 2017 14:01:54 +0100 Subject: [PATCH] mka: Fix use-after-free when receive secure channels are deleted ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data, but secy_delete_receive_sc() still needs it. Since these two functions are always called sequentially, secy_delete_receive_sc() can be called from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed. Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion") Signed-off-by: Davide Caratti --- src/pae/ieee802_1x_kay.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 3f9e53d..31905ed 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -532,6 +532,7 @@ ieee802_1x_kay_deinit_receive_sc( ieee802_1x_delete_receive_sa(participant->kay, psa); dl_list_del(&psc->list); + secy_delete_receive_sc(participant->kay, psc); os_free(psc); } @@ -2363,7 +2364,6 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) if (sci_equal(&rxsc->sci, &peer->sci)) { ieee802_1x_kay_deinit_receive_sc( participant, rxsc); - secy_delete_receive_sc(kay, rxsc); } } dl_list_del(&peer->list); @@ -3433,7 +3433,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn) rxsc = dl_list_entry(participant->rxsc_list.next, struct receive_sc, list); ieee802_1x_kay_deinit_receive_sc(participant, rxsc); - secy_delete_receive_sc(kay, rxsc); } ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc); secy_delete_transmit_sc(kay, participant->txsc); -- 2.7.4