Do prune_association only after the STA is authorized

Prune-associations should be done only after the new station is
authorized. Otherwise any STA can cause denial of service to connected
stations in PMF case when more than a single interface is being
controlled by the same hostapd process.

Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index ef8800c8c14a43d1bed68338901d9ace29799dc1..112e6fad312312a7e298eb94f5b7b9c06b5dc251 100644 (file)
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -3339,7 +3339,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
                return;
        }
 
-       hostapd_prune_associations(hapd, sta->addr);
        ap_sta_clear_disconnect_timeouts(hapd, sta);
        sta->post_csa_sa_query = 0;
 

diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 0897bcda4dd1e47f95c1d6e59afd1eb0fafb8ad2..4eb41528e134cf850aa8504d6ba03d7bb8404722 100644 (file)
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -1280,10 +1280,12 @@ void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta,
        if (!!authorized == !!(sta->flags & WLAN_STA_AUTHORIZED))
                return;
 
-       if (authorized)
+       if (authorized) {
+               hostapd_prune_associations(hapd, sta->addr);
                sta->flags |= WLAN_STA_AUTHORIZED;
-       else
+       } else {
                sta->flags &= ~WLAN_STA_AUTHORIZED;
+       }
 
 #ifdef CONFIG_P2P
        if (hapd->p2p_group == NULL) {