AP MLD: Cover wpa_sm clearing in authentication handling for ML STA

Clearing of wpa_sm for non-ML STAs ended up with possibility for a
previously generated ML STA entry to free sta->wpa_sm on one of the
links while leaving the other links potentially pointing to the freed
wpa_sm. Fix that by reordering code to allow the STA entry to be marked
to be for a non-AP MLD before calling
clear_wpa_sm_for_each_partner_link().

Fixes: 9603a83a1e3f ("AP MLD: Avoid reusing ML wpa state machine for non-ML STA")
Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index bf38537e2facf2ae77517717ff38d864d32acee3..47e5d3a5d2ca39c48fb7723dac54d44921885a1d 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3574,12 +3574,6 @@ static void handle_auth(struct hostapd_data *hapd,
        if (!sta->added_unassoc && auth_transaction == 1) {
                ap_sta_free_sta_profile(&sta->mld_info);
                os_memset(&sta->mld_info, 0, sizeof(sta->mld_info));
-               if ((!(sta->flags & WLAN_STA_MFP) ||
-                    !ap_sta_is_authorized(sta)) && sta->wpa_sm) {
-                       wpa_auth_sta_deinit(sta->wpa_sm);
-                       sta->wpa_sm = NULL;
-                       clear_wpa_sm_for_each_partner_link(hapd, sta);
-               }
 
                if (mld_sta) {
                        u8 link_id = hapd->mld_link_id;
@@ -3598,6 +3592,13 @@ static void handle_auth(struct hostapd_data *hapd,
                        os_memcpy(sta->mld_info.links[link_id].local_addr,
                                  hapd->own_addr, ETH_ALEN);
                }
+
+               if ((!(sta->flags & WLAN_STA_MFP) ||
+                    !ap_sta_is_authorized(sta)) && sta->wpa_sm) {
+                       wpa_auth_sta_deinit(sta->wpa_sm);
+                       sta->wpa_sm = NULL;
+                       clear_wpa_sm_for_each_partner_link(hapd, sta);
+               }
        }
 #endif /* CONFIG_IEEE80211BE */