On Fri, Dec 01, 2023 at 04:14:11PM +0100, Remi Pommarel wrote: > The wpa_auth_callbacks for mesh was missing a for_each_sta > implementation. This is an issue with pmksa cache, as when a cache entry > expires the for_each_sta callback is called in order to clear the pmksa > reference for all sta that was using this entry. Not having a > for_each_sta callback will prevent this cleanup to happen then a sta > could still use this pmksa entry even after it has been freed. > > This used after free was not a problem up until recently where dpp_pkhash > is now stored in pmksa entry and retreived later on causing crash with > below backtrace: > > _wpa_snprintf_hex src/utils/common.c:326 > wpa_snprintf_hex src/utils/common.c:348 > hostapd_ctrl_iface_sta_mib src/ap/ctrl_iface_ap.c:542 > hostapd_ctrl_iface_sta_mib src/ap/ctrl_iface_ap.c:542 > hostapd_ctrl_iface_sta_mib src/ap/ctrl_iface_ap.c:600 > hostapd_ctrl_iface_sta src/ap/ctrl_iface_ap.c:615 > wpa_supplicant_ctrl_iface_process src/wpa_supplicant/ctrl_iface.c:12741 > wpa_supplicant_global_ctrl_iface_receive src/wpa_supplicant/ctrl_iface_unix.c:1141 > eloop_sock_table_dispatch src/utils/eloop.c:625 > eloop_run src/utils/eloop.c:1238 > wpa_supplicant_run src/wpa_supplicant/wpa_supplicant.c:8021 > main src/wpa_supplicant/main.c:393 > > Adding a for_each_sta callbacks fixes that. Thanks, applied. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
