DPP: Avoid a potential use-after-free on an error path in AP

The TX status handler for DPP Authentication Confirm message might have
resulted in use-after-free if the start of a GAS query were to fail,
e.g., due to being somehow unable to transmit the initial request. Avoid
this by explicitly confirming that the authentication session was not
removed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c
index 812d21afdbd20ed1952afbbdd74ca1552cbb547d..3f89bc20c509b0518d3dcebb22a8c6d50ec78ecb 100644 (file)
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@@ -539,8 +539,15 @@ void hostapd_dpp_tx_status(struct hostapd_data *hapd, const u8 *dst,
                return;
        }
 
-       if (hapd->dpp_auth_ok_on_ack)
+       if (hapd->dpp_auth_ok_on_ack) {
                hostapd_dpp_auth_success(hapd, 1);
+               if (!hapd->dpp_auth) {
+                       /* The authentication session could have been removed in
+                        * some error cases, e.g., when starting GAS client and
+                        * failing to send the initial request. */
+                       return;
+               }
+       }
 
        if (!is_broadcast_ether_addr(dst) && !ok) {
                wpa_printf(MSG_DEBUG,