mesh: Fix SAE reauthentication processing

ap_free_sta() frees the sta entry, so sta->addr cannot be used after
that call. Fix the sequence of these two calls to avoid use of freed
memory to determine which PMKSA cache entry to remove.

Fixes: 9f2cf23e2e0d ("mesh: Add support for PMKSA caching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index a8a83795efd77b367e14d074c5e7be80563b0b28..ebcdbc5cff36c65fe4dbf858721f3104c18aa47e 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -896,8 +896,8 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
                        wpa_printf(MSG_DEBUG, "SAE: remove the STA (" MACSTR
                                   ") doing reauthentication",
                                   MAC2STR(sta->addr));
-                       ap_free_sta(hapd, sta);
                        wpa_auth_pmksa_remove(hapd->wpa_auth, sta->addr);
+                       ap_free_sta(hapd, sta);
                } else if (auth_transaction == 1) {
                        wpa_printf(MSG_DEBUG, "SAE: Start reauthentication");
                        ret = auth_sae_send_commit(hapd, sta, bssid, 1);