From fa4b605a0d1dcbd32a5038d61b90b8efd1ec7645 Mon Sep 17 00:00:00 2001 From: Lior David Date: Thu, 28 Sep 2017 21:55:09 +0300 Subject: [PATCH] WPS: Do not increment wildcard_uuid when pin is locked Commit 84751b98c151f70c322b6b7f70d967400e147852 ('WPS: Allow wildcard UUID PIN to be used twice') relaxed the constraints on how many time a wildcard PIN can be used to allow two attempts. However, it did this in a way that could result in concurrent attempts resulting in the wildcard PIN being invalidated even without the second attempt actually going as far as trying to use the PIN and a WPS protocol run. wildcard_uuid is a flag/counter set for wildcard PINs and it is incremented whenever the PIN is retrieved by wps_registrar_get_pin(). Eventually it causes the wildcard PIN to be released, effectively limiting the number of registration attempts with a wildcard PIN. With the previous implementation, when the PIN is in use and locked (PIN_LOCKED), it is not returned from wps_registrar_get_pin() but wildcard_uuid is still incremented which can cause the PIN to be released earlier and stations will have fewer registration attempts with it. Fix this scenario by only incrementing wildcard_uuid if the PIN is actually going to be returned and used. Signed-off-by: Lior David --- src/wps/wps_registrar.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c index def2ad690..379925e3f 100644 --- a/src/wps/wps_registrar.c +++ b/src/wps/wps_registrar.c @@ -880,6 +880,7 @@ static const u8 * wps_registrar_get_pin(struct wps_registrar *reg, const u8 *uuid, size_t *pin_len) { struct wps_uuid_pin *pin, *found = NULL; + int wildcard = 0; wps_registrar_expire_pins(reg); @@ -899,7 +900,7 @@ static const u8 * wps_registrar_get_pin(struct wps_registrar *reg, pin->wildcard_uuid == 2) { wpa_printf(MSG_DEBUG, "WPS: Found a wildcard " "PIN. Assigned it for this UUID-E"); - pin->wildcard_uuid++; + wildcard = 1; os_memcpy(pin->uuid, uuid, WPS_UUID_LEN); found = pin; break; @@ -921,6 +922,8 @@ static const u8 * wps_registrar_get_pin(struct wps_registrar *reg, } *pin_len = found->pin_len; found->flags |= PIN_LOCKED; + if (wildcard) + found->wildcard_uuid++; return found->pin; }