From 209f7bc0410bee3fadd70a6d9955346bc65ad569 Mon Sep 17 00:00:00 2001
From: Jiang Jiang Jian <jack@espressif.com>
Date: Fri, 22 May 2020 13:18:36 +0000
Subject: [PATCH] Merge branch 'bugfix/supplicant_general_fixes_33' into
 'release/v3.3'

wpa_supplicant: Fix some memleaks and invalid memory access(backport V3.3)

See merge request espressif/esp-idf!8741

(cherry picked from commit 19736dbedc37a6958a508d5d0d93851ee81b0e91)

b91bba1a wpa_supplicant: Fix some memleaks and invalid memory access
---
 components/wpa_supplicant/src/wps/wps.c       | 42 +++++++++----------
 .../wpa_supplicant/src/wps/wps_registrar.c    |  1 +
 2 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/components/wpa_supplicant/src/wps/wps.c b/components/wpa_supplicant/src/wps/wps.c
index 2ed83bbf6..621119d1b 100644
--- a/components/wpa_supplicant/src/wps/wps.c
+++ b/components/wpa_supplicant/src/wps/wps.c
@@ -273,42 +273,40 @@ _out:
  * provisioning, -1 if wps_a is considered more like, or 0 if no preference
  */
 int wps_ap_priority_compar(const struct wpabuf *wps_a,
-               const struct wpabuf *wps_b)
+                           const struct wpabuf *wps_b)
 {
-    struct wps_parse_attr *attr_a, *attr_b;
+    struct wps_parse_attr *attr = NULL;
     int sel_a, sel_b;
-    int ret = 0;
+    int ret = 0; /* No preference */
 
-    attr_a = (struct wps_parse_attr *)os_zalloc(sizeof(struct wps_parse_attr));
-    attr_b = (struct wps_parse_attr *)os_zalloc(sizeof(struct wps_parse_attr));
+    attr = os_zalloc(sizeof(*attr));
 
-    if (attr_a == NULL || attr_b == NULL) {
-        ret = 0;
-        goto _out;
+    if (!attr)
+	    return ret;
+
+    if (wps_a == NULL || wps_parse_msg(wps_a, attr) < 0) {
+        ret = 1;
+        goto exit;
     }
+    sel_a = attr->selected_registrar && *(attr->selected_registrar) != 0;
 
-    if (wps_a == NULL || wps_parse_msg(wps_a, attr_a) < 0)
-        return 1;
-    if (wps_b == NULL || wps_parse_msg(wps_b, attr_b) < 0)
-        return -1;
-
-    sel_a = attr_a->selected_registrar && *attr_a->selected_registrar != 0;
-    sel_b = attr_b->selected_registrar && *attr_b->selected_registrar != 0;
+    if (wps_b == NULL || wps_parse_msg(wps_b, attr) < 0) {
+        ret = -1;
+        goto exit;
+    }
+    sel_b = attr->selected_registrar && *(attr->selected_registrar) != 0;
 
     if (sel_a && !sel_b) {
         ret = -1;
-        goto _out;
+        goto exit;
     }
     if (!sel_a && sel_b) {
         ret = 1;
-        goto _out;
+        goto exit;
     }
 
-_out:
-    if (attr_a)
-        os_free(attr_a);
-    if (attr_b)
-        os_free(attr_b);
+exit:
+    os_free(attr);
     return ret;
 }
 
diff --git a/components/wpa_supplicant/src/wps/wps_registrar.c b/components/wpa_supplicant/src/wps/wps_registrar.c
index a38a75d1f..1efb3c88b 100644
--- a/components/wpa_supplicant/src/wps/wps_registrar.c
+++ b/components/wpa_supplicant/src/wps/wps_registrar.c
@@ -1689,6 +1689,7 @@ int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
 		if (random_get_bytes(r, sizeof(r)) < 0)
 			return -1;
 		os_free(wps->new_psk);
+		wps->new_psk = NULL;
 		//wps->new_psk = base64_encode(r, sizeof(r), &wps->new_psk_len);
 		if (wps->new_psk == NULL)
 			return -1;