Clear wpa_s->last/current_ssid in more cases

It was possible for at least the wpa_s->last_ssid to be left pointing to
a removed network which could result in processing the following
association as a reassociation-within-an-ESS even when it was moving to
a different ESS. This could result in unexpected behavior. This was
found with the following test case sequence:
sigma_dut_ap_psk_sae_ft sae_h2e_password_id ap_wps_pk_oom sigma_dut_client_privacy

Move clearing of wpa_s->last_ssid and wpa_s->current_ssid into
wpas_notify_network_removed() to catch all cases similarily to the way
wpa_s->next_ssid was already cleared.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index 821c916c153f09bcaa8680196b7c65c74a105549..0c3f291d289629d8386451a63bb9e4371bc89c5a 100644 (file)
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -382,6 +382,10 @@ void wpas_notify_network_removed(struct wpa_supplicant *wpa_s,
 {
        if (wpa_s->next_ssid == ssid)
                wpa_s->next_ssid = NULL;
+       if (wpa_s->last_ssid == ssid)
+               wpa_s->last_ssid = NULL;
+       if (wpa_s->current_ssid == ssid)
+               wpa_s->current_ssid = NULL;
        if (wpa_s->wpa)
                wpa_sm_pmksa_cache_flush(wpa_s->wpa, ssid);
        if (!ssid->p2p_group && wpa_s->global->p2p_group_formation != wpa_s &&

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index d37a994f98a5ac031b1bdf601a2fac946f1ba271..d89ee17e41ede56f05037e4c927922d772b1dd6a 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -4242,7 +4242,7 @@ struct wpa_ssid * wpa_supplicant_add_network(struct wpa_supplicant *wpa_s)
  */
 int wpa_supplicant_remove_network(struct wpa_supplicant *wpa_s, int id)
 {
-       struct wpa_ssid *ssid;
+       struct wpa_ssid *ssid, *prev = wpa_s->current_ssid;
        int was_disabled;
 
        ssid = wpa_config_get_network(wpa_s->conf, id);
@@ -4250,10 +4250,7 @@ int wpa_supplicant_remove_network(struct wpa_supplicant *wpa_s, int id)
                return -1;
        wpas_notify_network_removed(wpa_s, ssid);
 
-       if (wpa_s->last_ssid == ssid)
-               wpa_s->last_ssid = NULL;
-
-       if (ssid == wpa_s->current_ssid || !wpa_s->current_ssid) {
+       if (ssid == prev || !prev) {
 #ifdef CONFIG_SME
                wpa_s->sme.prev_bssid_set = 0;
 #endif /* CONFIG_SME */
@@ -4264,7 +4261,7 @@ int wpa_supplicant_remove_network(struct wpa_supplicant *wpa_s, int id)
                eapol_sm_invalidate_cached_session(wpa_s->eapol);
        }
 
-       if (ssid == wpa_s->current_ssid) {
+       if (ssid == prev) {
                wpa_sm_set_config(wpa_s->wpa, NULL);
                eapol_sm_notify_config(wpa_s->eapol, NULL, NULL);
 
@@ -4327,8 +4324,6 @@ int wpa_supplicant_remove_all_networks(struct wpa_supplicant *wpa_s)
 
                id = ssid->id;
                ssid = ssid->next;
-               if (wpa_s->last_ssid == remove_ssid)
-                       wpa_s->last_ssid = NULL;
                wpas_notify_network_removed(wpa_s, remove_ssid);
                wpa_config_remove_network(wpa_s->conf, id);
        }

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 5633f3d1ecaf4a65168146b916708dcb2ec3a706..11f0b3d49751f9396bad869c4da7052e87cf22e4 100644 (file)
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -356,8 +356,6 @@ static void wpas_wps_remove_dup_network(struct wpa_supplicant *wpa_s,
                /* Remove the duplicated older network entry. */
                wpa_printf(MSG_DEBUG, "Remove duplicate network %d", ssid->id);
                wpas_notify_network_removed(wpa_s, ssid);
-               if (wpa_s->current_ssid == ssid)
-                       wpa_s->current_ssid = NULL;
                wpa_config_remove_network(wpa_s->conf, ssid->id);
        }
 }