FILS: Fix send_assoc_resp() HLP extension to cover sta == NULL

Commit 91d91abf6f9bf420643a9245b63f5ac8c6bbb18a ('FILS: DHCP relay for
HLP requests') added steps that are conditional on sta->fils_hlp_resp
being non-NULL. One of these cases within send_assoc_resp() was properly
protected from sta == NULL error case (that is now possible after a
recent DMG change), but the first one was not. A DMG error case in a
CONFIG_FILS=y build could have hit a NULL pointer dereference here. Fix
this by verifying sta != NULL more consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index d9bc976e371651ef08501e7840256e342323a882..d060cfad805db7929a3dfef330c664a508bbe641 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2274,7 +2274,7 @@ static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
 
        buflen = sizeof(struct ieee80211_mgmt) + 1024;
 #ifdef CONFIG_FILS
-       if (sta->fils_hlp_resp)
+       if (sta && sta->fils_hlp_resp)
                buflen += wpabuf_len(sta->fils_hlp_resp);
 #endif /* CONFIG_FILS */
        buf = os_zalloc(buflen);