On Sun, Mar 07, 2021 at 11:40:01PM +0200, Andrei Otcheretianski wrote:
> An EAPOL frame may be pending when the supplicant requests to
> deauthenticate. At this stage the EAP SM cache is already cleaned by
> calling eapol_sm_invalidate_cached_session(). Since at this stage the
> wpa_supplicant's state is still set to associated, the EAPOL is
> processed and results in a crash due to NULL dereference.
> This wasn't seen previously as nl80211 wouldn't process the
> NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
> set the valid_handler to NULL. This behavior was changed in ab8929192
> ("nl80211: use the process_bss_event for the nl_connect handler"),
> exposing this race.
> Fix it by ignoring EAPOL frames while the deauthentication is in
> progress.
Thanks, applied. However, I was unable to reproduce that NULL
dereference by trying to add calls to
eapol_sm_invalidate_cached_session() in inconvenient places. Can you
please provide more details on that crash and which pointer is being
dereferenced? I'd like to add more protection against unexpected cases,
but cannot do that here since I could not figure out where this NULL
dereferencing could have happened.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
