From dee202024370ff6b5a937322b090680f611c36aa Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 28 Aug 2015 16:30:06 +0300 Subject: [PATCH] EAPOL auth: clear keyRun in AUTH_PAE INITIALIZE Clearing keyRun here is not specified in IEEE Std 802.1X-2004, but it looks like this would be logical thing to do here since the EAPOL-Key exchange is not possible in this state. It is possible to get here on disconnection event without advancing to the AUTHENTICATING state to clear keyRun before the IEEE 802.11 RSN authenticator state machine runs and that may advance from AUTHENTICATION2 to INITPMK if keyRun = TRUE has been left from the last association. This can be avoided by clearing keyRun here. It was possible to hit this corner case in the hwsim test case ap_wpa2_eap_eke_server_oom in the case getKey operation was forced to fail memory allocation. The following association resulted in the station getting disconnected when entering INITPMK without going through EAP authentication. Signed-off-by: Jouni Malinen --- src/eapol_auth/eapol_auth_sm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c index f9f91ad5c..ff33d2862 100644 --- a/src/eapol_auth/eapol_auth_sm.c +++ b/src/eapol_auth/eapol_auth_sm.c @@ -198,6 +198,18 @@ SM_STATE(AUTH_PAE, INITIALIZE) { SM_ENTRY_MA(AUTH_PAE, INITIALIZE, auth_pae); sm->portMode = Auto; + + /* + * Clearing keyRun here is not specified in IEEE Std 802.1X-2004, but + * it looks like this would be logical thing to do here since the + * EAPOL-Key exchange is not possible in this state. It is possible to + * get here on disconnection event without advancing to the + * AUTHENTICATING state to clear keyRun before the IEEE 802.11 RSN + * authenticator state machine runs and that may advance from + * AUTHENTICATION2 to INITPMK if keyRun = TRUE has been left from the + * last association. This can be avoided by clearing keyRun here. + */ + sm->keyRun = FALSE; }