From 5890fa81d88d37f63adb2281e280a36e8f14a3d7 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Wed, 1 Jan 2014 22:00:09 +0200
Subject: [PATCH] WPS: Fix clear-from-timeout handling to avoid race condition

The 100 ms timeout to clear WPS state after EAP-Failure has been
received worked otherwise fine, but it opened a race condition on
another WPS operation starting within that wait. If that happens, the
timeout will cancel that new operation unexpectedly. Fix this by
cancelling the timeout from wpas_clear_wps().

Signed-hostap: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/wps_supplicant.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 277201eac..6c7508c0a 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -866,6 +866,7 @@ static void wpas_clear_wps(struct wpa_supplicant *wpa_s)
 	wpas_wps_reenable_networks(wpa_s);
 
 	eloop_cancel_timeout(wpas_wps_timeout, wpa_s, NULL);
+	eloop_cancel_timeout(wpas_wps_clear_timeout, wpa_s, NULL);
 
 	/* Remove any existing WPS network from configuration */
 	ssid = wpa_s->conf->ssid;
@@ -1135,6 +1136,9 @@ int wpas_wps_cancel(struct wpa_supplicant *wpa_s)
 	} else {
 		wpas_wps_reenable_networks(wpa_s);
 		wpas_wps_clear_ap_info(wpa_s);
+		if (eloop_cancel_timeout(wpas_wps_clear_timeout, wpa_s, NULL) >
+		    0)
+			wpas_clear_wps(wpa_s);
 	}
 
 	wpa_s->after_wps = 0;