From d87a6acdf5aedec3fe6e1f19ce3c84f1741c2bf7 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 19 Feb 2014 23:51:55 +0200 Subject: [PATCH] WPS: Fix STA state validation when processing PutWLANResponse It is possible for an ER to send an unexpected PutWLANResponse action when the destination STA is in disassociated, but not fully deauthenticated state. sta->eapol_sm can be NULL in such state and as such, it would be possible to hit a NULL pointer dereference in the eapol_auth_eap_pending_cb() call at the end of the hostapd_wps_probe_req_rx() when trying to proxy the WPS message to the station. Fix this by validating that sta->eapol_sm is set before processing the message. Signed-off-by: Jouni Malinen --- src/ap/wps_hostapd.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c index 8aafa639e..3a40125b8 100644 --- a/src/ap/wps_hostapd.c +++ b/src/ap/wps_hostapd.c @@ -1479,6 +1479,16 @@ static int hostapd_rx_req_put_wlan_response( return 0; } + if (!sta->eapol_sm) { + /* + * This can happen, e.g., if an ER sends an extra message after + * the station has disassociated (but not fully + * deauthenticated). + */ + wpa_printf(MSG_DEBUG, "WPS UPnP: Matching STA did not have EAPOL state machine initialized"); + return 0; + } + p = os_zalloc(sizeof(*p)); if (p == NULL) return -1;