Corrected freed memory access on incoming EAPOL handling

For repeated/duplicated EAP-TLS messages it is possible that they arrive after EAP-TLS is completed on BR. In this case they are handled by Initial EAPOL-key handler and the message and handler are deleted right away. The KMP receive message function however still referred to deleted handler which caused freed memory access. This is now corrected.
artokin · Mar 23, 2021 · 3ec2a2c · 3ec2a2c
1 parent aecadc4
commit 3ec2a2c
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/source/Security/kmp/kmp_api.c b/source/Security/kmp/kmp_api.c
@@ -598,8 +598,7 @@ int8_t kmp_service_msg_if_receive(kmp_service_t *service, uint8_t instance_id, k
     int8_t ret = -1;
     if (kmp->sec_prot.receive != NULL) {
         ret = kmp->sec_prot.receive(&kmp->sec_prot, pdu, size);
-    }
-    if (kmp->sec_prot.conn_receive != NULL) {
+    } else if (kmp->sec_prot.conn_receive != NULL) {
         ret = kmp->sec_prot.conn_receive(&kmp->sec_prot, pdu, size, connection_num);
     }