From cf3d260c39a9efeb61f92e892e202fda7fa9a94b Mon Sep 17 00:00:00 2001 From: Andrew Beltrano Date: Wed, 16 Sep 2020 21:51:40 +0000 Subject: [PATCH] DPP2: Fix hostapd crash setting global configurator params on chirp RX When a Presence Announcement frame is received, a check is done to ensure an ongoing auth is not in progress (!hapd->dpp_auth). A new DPP auth is then initialized, however, when setting global configurator params for it, the hapd->dpp_auth pointer is used which was earlier confirmed as NULL, causing a crash in dpp_set_configurator params when the pointer is dereferenced. This only occurs when there are global DPP configurator params to be set and the peer has no overriding configurator params. If no global DPP configurator params exist, the call to dpp_set_configurator exits early and the problem is not observed. Fix by using the newly init'ed DPP auth structure for setting global DPP configurator params. Signed-off-by: Andrew Beltrano --- src/ap/dpp_hostapd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c index 15aa82b85..2a28239e1 100644 --- a/src/ap/dpp_hostapd.c +++ b/src/ap/dpp_hostapd.c @@ -1249,8 +1249,8 @@ hostapd_dpp_rx_presence_announcement(struct hostapd_data *hapd, const u8 *src, 0); if (!auth) return; - hostapd_dpp_set_testing_options(hapd, hapd->dpp_auth); - if (dpp_set_configurator(hapd->dpp_auth, + hostapd_dpp_set_testing_options(hapd, auth); + if (dpp_set_configurator(auth, hapd->dpp_configurator_params) < 0) { dpp_auth_deinit(auth); return;