From 529d6ed7262f0015552e3b8f6eed8ea4508d7c1f Mon Sep 17 00:00:00 2001
Message-Id: <529d6ed7262f0015552e3b8f6eed8ea4508d7c1f.1491928737.git.davide.caratti@gmail.com>
From: Davide Caratti <davide.caratti@gmail.com>
Date: Thu, 16 Mar 2017 14:01:54 +0100
Subject: [PATCH] mka: Fix use-after-free when receive secure channels are
 deleted

ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data,
but secy_delete_receive_sc() still needs it. Since these two functions
are always called sequentially, secy_delete_receive_sc() can be called
from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed.

Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
---
 src/pae/ieee802_1x_kay.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 3f9e53d..31905ed 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -532,6 +532,7 @@ ieee802_1x_kay_deinit_receive_sc(
 		ieee802_1x_delete_receive_sa(participant->kay, psa);
 
 	dl_list_del(&psc->list);
+	secy_delete_receive_sc(participant->kay, psc);
 	os_free(psc);
 }
 
@@ -2363,7 +2364,6 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
 				if (sci_equal(&rxsc->sci, &peer->sci)) {
 					ieee802_1x_kay_deinit_receive_sc(
 						participant, rxsc);
-					secy_delete_receive_sc(kay, rxsc);
 				}
 			}
 			dl_list_del(&peer->list);
@@ -3433,7 +3433,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
 		rxsc = dl_list_entry(participant->rxsc_list.next,
 				     struct receive_sc, list);
 		ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
-		secy_delete_receive_sc(kay, rxsc);
 	}
 	ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
 	secy_delete_transmit_sc(kay, participant->txsc);
-- 
2.7.4