wpa_supplicant: Don't process EAPOL frames while disconnecting
An EAPOL frame may be pending when wpa_supplicant requests to deauthenticate. At this stage the EAP SM cache is already cleaned by calling eapol_sm_invalidate_cached_session(). Since at this stage the wpa_supplicant's state is still set to associated, the EAPOL frame is processed and results in a crash due to NULL dereference. This wasn't seen previously as nl80211 wouldn't process the NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would set the valid_handler to NULL. This behavior was changed in commitab89291928exposing this race. Fix it by ignoring EAPOL frames while the deauthentication is in progress. Fixes:ab89291928("nl80211: Use process_bss_event() for the nl_connect handler") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This commit is contained in:
Andrei Otcheretianski
Jouni Malinen
parent
e80e6a2f17
commit
82a348eda4
1 changed files with 6 additions and 0 deletions
|
|
@ -4773,6 +4773,12 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr,
|
||||||
wpa_dbg(wpa_s, MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr));
|
wpa_dbg(wpa_s, MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr));
|
||||||
wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len);
|
wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len);
|
||||||
|
|
||||||
|
if (wpa_s->own_disconnect_req) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"Drop received EAPOL frame as we are disconnecting");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_TESTING_OPTIONS
|
#ifdef CONFIG_TESTING_OPTIONS
|
||||||
if (wpa_s->ignore_auth_resp) {
|
if (wpa_s->ignore_auth_resp) {
|
||||||
wpa_printf(MSG_INFO, "RX EAPOL - ignore_auth_resp active!");
|
wpa_printf(MSG_INFO, "RX EAPOL - ignore_auth_resp active!");
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue