An EAPOL frame may be pending when the supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL is
processed and results in a crash due to NULL dereference.
This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in ab8929192
("nl80211: use the process_bss_event for the nl_connect handler"),
exposing this race.
Fix it by ignoring EAPOL frames while the deauthentication is in
progress.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@xxxxxxxxx>
---
wpa_supplicant/wpa_supplicant.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 6a02ed7c56..c8dcef21bd 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -4773,6 +4773,11 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr,
wpa_dbg(wpa_s, MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr));
wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len);
+ if (wpa_s->own_disconnect_req) {
+ wpa_printf(MSG_DEBUG, "RX EAPOL - drop EAPOL frame as we are disconnecting");
+ return;
+ }
+
#ifdef CONFIG_TESTING_OPTIONS
if (wpa_s->ignore_auth_resp) {
wpa_printf(MSG_INFO, "RX EAPOL - ignore_auth_resp active!");
--
2.28.0
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
