From e3ba0c4cd230424de1c05d90b28dca56af1fb953 Mon Sep 17 00:00:00 2001 From: Rohan Date: Fri, 14 Aug 2020 19:06:15 +0530 Subject: [PATCH] Do not start SA Query procedure without keys The AP mode condition for initiating the SA Query procedure when receiving a new (Re)Association Request frame used only association state and MFP negotiation result without checking that the key exchange has been completed. This can give rise to a corner case where the SA Query procedure may get started after open association but before the 4-way handshake has been completed, resulting in open SA query frames over the air. Fix this by adding station authorized check in hostapd_notif_assoc() and check_assoc_ies(). Signed-off-by: Rohan --- src/ap/drv_callbacks.c | 10 ++++++---- src/ap/ieee802_11.c | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 9faac0ddc..a8b339f58 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -388,13 +388,15 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, goto fail; } - if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == - (WLAN_STA_ASSOC | WLAN_STA_MFP) && + if ((sta->flags & + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) == + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) && !sta->sa_query_timed_out && sta->sa_query_count > 0) ap_check_sa_query_timeout(hapd, sta); - if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == - (WLAN_STA_ASSOC | WLAN_STA_MFP) && + if ((sta->flags & + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) == + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) && !sta->sa_query_timed_out && (sta->auth_alg != WLAN_AUTH_FT)) { /* diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 13431d567..e3a9cbee9 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -3328,13 +3328,15 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta, resp = wpa_res_to_status_code(res); if (resp != WLAN_STATUS_SUCCESS) return resp; - if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == - (WLAN_STA_ASSOC | WLAN_STA_MFP) && + if ((sta->flags & + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) == + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) && !sta->sa_query_timed_out && sta->sa_query_count > 0) ap_check_sa_query_timeout(hapd, sta); - if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) == - (WLAN_STA_ASSOC | WLAN_STA_MFP) && + if ((sta->flags & + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) == + (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) && !sta->sa_query_timed_out && (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) { /*