On "eap_tnc_process" function error case, data->in_buf keeps reference
to a local scope variable. For example this will cause segmentation
fault in "eap_tnc_deinit" function "wpabuf_free(data->in_buf)"
statement.
wpa_printf(MSG_DEBUG, "EAP-TNC: Server did not use "
"start flag in the first message");
ret->ignore = TRUE;
wpa_printf(MSG_DEBUG, "EAP-TNC: Server did not use "
"start flag in the first message");
ret->ignore = TRUE;
}
tncc_init_connection(data->tncc);
}
tncc_init_connection(data->tncc);
wpa_printf(MSG_DEBUG, "EAP-TNC: Server used start "
"flag again");
ret->ignore = TRUE;
wpa_printf(MSG_DEBUG, "EAP-TNC: Server used start "
"flag again");
ret->ignore = TRUE;
}
res = tncc_process_if_tnccs(data->tncc,
}
res = tncc_process_if_tnccs(data->tncc,
switch (res) {
case TNCCS_PROCESS_ERROR:
ret->ignore = TRUE;
switch (res) {
case TNCCS_PROCESS_ERROR:
ret->ignore = TRUE;
case TNCCS_PROCESS_OK_NO_RECOMMENDATION:
case TNCCS_RECOMMENDATION_ERROR:
wpa_printf(MSG_DEBUG, "EAP-TNC: No "
case TNCCS_PROCESS_OK_NO_RECOMMENDATION:
case TNCCS_RECOMMENDATION_ERROR:
wpa_printf(MSG_DEBUG, "EAP-TNC: No "
data->out_buf = resp;
data->state = PROC_MSG;
return eap_tnc_build_msg(data, ret, id);
data->out_buf = resp;
data->state = PROC_MSG;
return eap_tnc_build_msg(data, ret, id);
+
+fail:
+ if (data->in_buf == &tmpbuf)
+ data->in_buf = NULL;
+ return NULL;