From 0be8b9238f6ca95731f215304458d4d954a31cd8 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 15 Apr 2019 22:50:06 +0300
Subject: [PATCH] mka: Avoid memory leak in unexpected case in RECEIVE

It looks like it is possible for the RECEIVE state to leak memory where
a previously allocated sm->lki is moved to sm->oki while sm->oki is
pointing to not yet freed entry. It is not clear how this can be
triggered, but it has come up in hwsim testing under heavy load.

Free sm->oki if it is still set in RECEIVE before replacing it with
sm->lki to avoid this memory leak.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 src/pae/ieee802_1x_cp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c
index 8cdce30e8..1c4dc3e63 100644
--- a/src/pae/ieee802_1x_cp.c
+++ b/src/pae/ieee802_1x_cp.c
@@ -214,6 +214,10 @@ SM_STATE(CP, RECEIVE)
 	SM_ENTRY(CP, RECEIVE);
 	/* RECEIVE state machine not keep with Figure 12-2 in
 	 * IEEE Std 802.1X-2010 */
+	if (sm->oki) {
+		ieee802_1x_kay_delete_sas(sm->kay, sm->oki);
+		os_free(sm->oki);
+	}
 	sm->oki = sm->lki;
 	sm->oan = sm->lan;
 	sm->otx = sm->ltx;