From 65a32cdbcb42f09521622d409dfcb04a888432d0 Mon Sep 17 00:00:00 2001 From: Michael Braun Date: Sat, 30 Mar 2013 19:53:22 +0200 Subject: [PATCH] AP: Fix infinite loop in WPA state machine when out of random bytes When the OS is out of random bytes in SM_STATE(WPA_PTK, AUTHENTICATION2) in ap/wpa_auth.c, hostapd sends the sm to state DISCONNECT without clearing ReAuthenticationRequest, resulting in an infinite loop. Clearing sm->ReAuthenticationRequest using gdb fixes the running hostapd instance for me. Also sm->Disconnect = TRUE should be used instead of wpa_sta_disconnect() to make sure that the incomplete ANonce does not get used. Fix this issue by resetting sm->ReAuthenticationRequest even if the STA gets disconnected and use sm->Disconnect instead of wpa_sta_disconnect(). Signed-hostap: Michael Braun --- src/ap/wpa_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index fa4b1cb39..4f1f6fbc1 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -1598,6 +1598,7 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); wpa_group_ensure_init(sm->wpa_auth, sm->group); + sm->ReAuthenticationRequest = FALSE; /* * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat @@ -1611,12 +1612,11 @@ SM_STATE(WPA_PTK, AUTHENTICATION2) if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " "ANonce."); - wpa_sta_disconnect(sm->wpa_auth, sm->addr); + sm->Disconnect = TRUE; return; } wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, WPA_NONCE_LEN); - sm->ReAuthenticationRequest = FALSE; /* IEEE 802.11i does not clear TimeoutCtr here, but this is more * logical place than INITIALIZE since AUTHENTICATION2 can be * re-entered on ReAuthenticationRequest without going through