wpa_supplicant: Don't process EAPOL frames while disconnecting

An EAPOL frame may be pending when wpa_supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL frame is
processed and results in a crash due to NULL dereference.

This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in commit
ab89291928 exposing this race.

Fix it by ignoring EAPOL frames while the deauthentication is in
progress.

Fixes: ab89291928 ("nl80211: Use process_bss_event() for the nl_connect handler")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

wpa_supplicant/wpa_supplicant.c

@@ -4773,6 +4773,12 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr,
 	wpa_dbg(wpa_s, MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr));
 	wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len);
 
+	if (wpa_s->own_disconnect_req) {
+		wpa_printf(MSG_DEBUG,
+			   "Drop received EAPOL frame as we are disconnecting");
+		return;
+	}
+
 #ifdef CONFIG_TESTING_OPTIONS
 	if (wpa_s->ignore_auth_resp) {
 		wpa_printf(MSG_INFO, "RX EAPOL - ignore_auth_resp active!");