[PATCH 19/44] FT: check hapd->wpa_auth before RRB internal delivery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Michael Braun <michael-dev@xxxxxxxxxxxxx>

A malcious station could try to do FT-over-DS with a non WPA-enabled BSS.
When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by a
non-WPA enabled BSS.
This processing will crash hostapd as hapd->wpa_auth is null.
If the target BSS is on a different hostapd instance, it will not listen
for these packets and thus not crash.

This patch fixes this by checking hapd->wpa_auth before delivery.

Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx>
---
 src/ap/wpa_auth_glue.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index a85559a..ee34012 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -423,6 +423,8 @@ static int hostapd_wpa_auth_ft_iter(struct hostapd_iface *iface, void *ctx)
 		hapd = iface->bss[j];
 		if (hapd == idata->src_hapd)
 			continue;
+		if (!hapd->wpa_auth)
+			continue;
 		if (os_memcmp(hapd->own_addr, idata->dst, ETH_ALEN) == 0) {
 			wpa_printf(MSG_DEBUG, "FT: Send RRB data directly to "
 				   "locally managed BSS " MACSTR "@%s -> "
-- 
1.9.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux