From de01f254a61a4432ba89f3a5dc950d8678021d44 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 5 Mar 2017 16:16:42 +0200 Subject: [PATCH] RADIUS server: Fix error paths in new session creation radius_server_session_free() does not remove the session from the session list and these radius_server_get_new_session() error paths ended up leaving a pointer to freed memory into the session list. This resulted in the following operations failing due to use of freed memory. Fix this by using radius_server_session_remove() which removes the entry from the list in addition to calling radius_server_session_free(). Signed-off-by: Jouni Malinen --- src/radius/radius_server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c index e8bef45fc..6cce2ff00 100644 --- a/src/radius/radius_server.c +++ b/src/radius/radius_server.c @@ -662,14 +662,14 @@ radius_server_get_new_session(struct radius_server_data *data, sess->username = os_malloc(user_len * 4 + 1); if (sess->username == NULL) { - radius_server_session_free(data, sess); + radius_server_session_remove(data, sess); return NULL; } printf_encode(sess->username, user_len * 4 + 1, user, user_len); sess->nas_ip = os_strdup(from_addr); if (sess->nas_ip == NULL) { - radius_server_session_free(data, sess); + radius_server_session_remove(data, sess); return NULL; } @@ -702,7 +702,7 @@ radius_server_get_new_session(struct radius_server_data *data, if (sess->eap == NULL) { RADIUS_DEBUG("Failed to initialize EAP state machine for the " "new session"); - radius_server_session_free(data, sess); + radius_server_session_remove(data, sess); return NULL; } sess->eap_if = eap_get_interface(sess->eap);