Merge branch 'bugfix/mem_leak_sae_pk' into 'master'

Jiang Jiang Jian · Jiang Jiang Jian · commit 7f1e4ebbaa02 · 2025-02-12T19:51:11.000+08:00
fix(wifi): Bugfix memory leak due to sae public key

See merge request espressif/esp-idf!36667
diff --git a/components/wpa_supplicant/src/common/sae_pk.c b/components/wpa_supplicant/src/common/sae_pk.c
@@ -620,6 +620,7 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	int group;
 	struct wpa_supplicant *wpa_s = &g_wpa_supp;
 	struct sae_pk_elems elems;
+	int ret = 0;
 
 	if (!tmp) {
 		return -1;
@@ -650,15 +651,17 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (!elems.fils_pk || !elems.fils_key_confirm || !elems.sae_pk) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Not all mandatory IEs included in confirm");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	/* TODO: Fragment reassembly */
 
 	if (elems.sae_pk_len < SAE_PK_M_LEN + AES_BLOCK_SIZE) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: No room for EncryptedModifier in SAE-PK element");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	wpa_hexdump(MSG_DEBUG, "SAE-PK: EncryptedModifier",
@@ -669,14 +672,16 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 						0, NULL, NULL, m) < 0) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Failed to decrypt EncryptedModifier");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	wpa_hexdump_key(MSG_DEBUG, "SAE-PK: Modifier M", m, SAE_PK_M_LEN);
 
 	if (elems.fils_pk[0] != 2) {
 		wpa_printf(MSG_INFO, "SAE-PK: Unsupported public key type %u",
 				   elems.fils_pk[0]);
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	k_ap_len = elems.fils_pk_len - 1;
 	k_ap = elems.fils_pk + 1;
@@ -686,13 +691,15 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	key = crypto_ec_key_parse_pub(k_ap, k_ap_len);
 	if (!key) {
 		wpa_printf(MSG_INFO, "SAE-PK: Failed to parse K_AP");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	group = crypto_ec_key_group(key);
 	if (!sae_pk_valid_fingerprint(sae, m, SAE_PK_M_LEN, k_ap, k_ap_len,
 								  group)) {
 		crypto_ec_key_deinit(key);
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
@@ -702,7 +709,8 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (sae_pk_hash_sig_data(sae, hash_len, false, m, SAE_PK_M_LEN,
 							 k_ap, k_ap_len, hash) < 0) {
 		crypto_ec_key_deinit(key);
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	res = crypto_ec_key_verify_signature(key, hash, hash_len,
@@ -713,12 +721,25 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (res != 1) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Invalid or incorrect signature in KeyAuth");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	wpa_printf(MSG_DEBUG, "SAE-PK: Valid KeyAuth signature received");
 
 	/* TODO: Store validated public key into network profile */
-	return 0;
+done:
+	if (wpa_s->sae_pk_elems.fils_pk) {
+		os_free(wpa_s->sae_pk_elems.fils_pk);
+	}
+	if (wpa_s->sae_pk_elems.sae_pk) {
+		os_free(wpa_s->sae_pk_elems.sae_pk);
+	}
+	if (wpa_s->sae_pk_elems.fils_key_confirm) {
+		os_free(wpa_s->sae_pk_elems.fils_key_confirm);
+	}
+	os_memset(&wpa_s->sae_pk_elems, 0, sizeof(wpa_s->sae_pk_elems));
+
+	return ret;
 }
 #endif /* CONFIG_SAE_PK */
