WPS: Fix STA state validation when processing PutWLANResponse

It is possible for an ER to send an unexpected PutWLANResponse action when the destination STA is in disassociated, but not fully deauthenticated state. sta->eapol_sm can be NULL in such state and as such, it would be possible to hit a NULL pointer dereference in the eapol_auth_eap_pending_cb() call at the end of the hostapd_wps_probe_req_rx() when trying to proxy the WPS message to the station. Fix this by validating that sta->eapol_sm is set before processing the message. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-19 23:51:55 +02:00 · 2014-02-19 23:51:55 +02:00 · d87a6acdf5
parent ac494fcce4
commit d87a6acdf5
1 changed files with 10 additions and 0 deletions
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@ -1479,6 +1479,16 @@ static int hostapd_rx_req_put_wlan_response(
 		return 0;
 	}

+	if (!sta->eapol_sm) {
+		/*
+		 * This can happen, e.g., if an ER sends an extra message after
+		 * the station has disassociated (but not fully
+		 * deauthenticated).
+		 */
+		wpa_printf(MSG_DEBUG, "WPS UPnP: Matching STA did not have EAPOL state machine initialized");
+		return 0;
+	}
+
 	p = os_zalloc(sizeof(*p));
 	if (p == NULL)
 		return -1;