Merge branch 'bugfix/mem_leak_sae_pk_v5.1' into 'release/v5.1'

fix(wifi): Bugfix memory leak due to sae public key (v5.1) See merge request espressif/esp-idf!36928
2025-03-06 22:59:09 -05:00 · 2025-03-03 10:40:40 +08:00 · 2025-03-03 10:40:40 +08:00 · 46b822cacc
commit 46b822cacc
parent dacb2734b7 bbda0a9baa
1 changed files with 30 additions and 9 deletions
--- a/components/wpa_supplicant/src/common/sae_pk.c
+++ b/components/wpa_supplicant/src/common/sae_pk.c
@ -620,6 +620,7 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	int group;
 	struct wpa_supplicant *wpa_s = &g_wpa_supp;
 	struct sae_pk_elems elems;
+	int ret = 0;

 	if (!tmp) {
 		return -1;
@ -650,7 +651,8 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (!elems.fils_pk || !elems.fils_key_confirm || !elems.sae_pk) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Not all mandatory IEs included in confirm");
-		return -1;
+		ret = -1;
+		goto done;
 	}

 	/* TODO: Fragment reassembly */
@ -658,7 +660,8 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (elems.sae_pk_len < SAE_PK_M_LEN + AES_BLOCK_SIZE) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: No room for EncryptedModifier in SAE-PK element");
-		return -1;
+		ret = -1;
+		goto done;
 	}

 	wpa_hexdump(MSG_DEBUG, "SAE-PK: EncryptedModifier",
@ -669,14 +672,16 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 						0, NULL, NULL, m) < 0) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Failed to decrypt EncryptedModifier");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	wpa_hexdump_key(MSG_DEBUG, "SAE-PK: Modifier M", m, SAE_PK_M_LEN);

 	if (elems.fils_pk[0] != 2) {
 		wpa_printf(MSG_INFO, "SAE-PK: Unsupported public key type %u",
 				   elems.fils_pk[0]);
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	k_ap_len = elems.fils_pk_len - 1;
 	k_ap = elems.fils_pk + 1;
@ -686,13 +691,15 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	key = crypto_ec_key_parse_pub(k_ap, k_ap_len);
 	if (!key) {
 		wpa_printf(MSG_INFO, "SAE-PK: Failed to parse K_AP");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	group = crypto_ec_key_group(key);
 	if (!sae_pk_valid_fingerprint(sae, m, SAE_PK_M_LEN, k_ap, k_ap_len,
 								  group)) {
 		crypto_ec_key_deinit(key);
-		return -1;
+		ret = -1;
+		goto done;
 	}

 	wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
@ -702,7 +709,8 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (sae_pk_hash_sig_data(sae, hash_len, false, m, SAE_PK_M_LEN,
 							 k_ap, k_ap_len, hash) < 0) {
 		crypto_ec_key_deinit(key);
-		return -1;
+		ret = -1;
+		goto done;
 	}

 	res = crypto_ec_key_verify_signature(key, hash, hash_len,
@ -713,12 +721,25 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (res != 1) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Invalid or incorrect signature in KeyAuth");
-		return -1;
+		ret = -1;
+		goto done;
 	}

 	wpa_printf(MSG_DEBUG, "SAE-PK: Valid KeyAuth signature received");

 	/* TODO: Store validated public key into network profile */
-	return 0;
+done:
+	if (wpa_s->sae_pk_elems.fils_pk) {
+		os_free(wpa_s->sae_pk_elems.fils_pk);
+	}
+	if (wpa_s->sae_pk_elems.sae_pk) {
+		os_free(wpa_s->sae_pk_elems.sae_pk);
+	}
+	if (wpa_s->sae_pk_elems.fils_key_confirm) {
+		os_free(wpa_s->sae_pk_elems.fils_key_confirm);
+	}
+	os_memset(&wpa_s->sae_pk_elems, 0, sizeof(wpa_s->sae_pk_elems));
+
+	return ret;
 }
 #endif /* CONFIG_SAE_PK */