DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

TNC: Fix a stray pointer that could cause segfault on error path

Browse source 
On "eap_tnc_process" function error case, data->in_buf keeps reference
to a local scope variable. For example this will cause segmentation
fault in "eap_tnc_deinit" function "wpabuf_free(data->in_buf)"
statement.
This commit is contained in:
Masashi Honma 2009-03-16 21:01:07 +02:00 committed by Jouni Malinen
parent c590cb67d4
commit 2943799678
1 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/eap_peer/eap_tnc.c
View file

@ -295,7 +295,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
wpa_printf(MSG_DEBUG, "EAP-TNC: Server did not use " wpa_printf(MSG_DEBUG, "EAP-TNC: Server did not use "
"start flag in the first message"); "start flag in the first message");
ret->ignore = TRUE; ret->ignore = TRUE;
return NULL; goto fail;
} }
tncc_init_connection(data->tncc); tncc_init_connection(data->tncc);
@ -308,7 +308,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
wpa_printf(MSG_DEBUG, "EAP-TNC: Server used start " wpa_printf(MSG_DEBUG, "EAP-TNC: Server used start "
"flag again"); "flag again");
ret->ignore = TRUE; ret->ignore = TRUE;
return NULL; goto fail;
} }
res = tncc_process_if_tnccs(data->tncc, res = tncc_process_if_tnccs(data->tncc,
@ -317,7 +317,7 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
switch (res) { switch (res) {
case TNCCS_PROCESS_ERROR: case TNCCS_PROCESS_ERROR:
ret->ignore = TRUE; ret->ignore = TRUE;
return NULL; goto fail;
case TNCCS_PROCESS_OK_NO_RECOMMENDATION: case TNCCS_PROCESS_OK_NO_RECOMMENDATION:
case TNCCS_RECOMMENDATION_ERROR: case TNCCS_RECOMMENDATION_ERROR:
wpa_printf(MSG_DEBUG, "EAP-TNC: No " wpa_printf(MSG_DEBUG, "EAP-TNC: No "
@ -404,6 +404,11 @@ static struct wpabuf * eap_tnc_process(struct eap_sm *sm, void *priv,
data->out_buf = resp; data->out_buf = resp;
data->state = PROC_MSG; data->state = PROC_MSG;
return eap_tnc_build_msg(data, ret, id); return eap_tnc_build_msg(data, ret, id);
fail:
if (data->in_buf == &tmpbuf)
data->in_buf = NULL;
return NULL;
} }