AP: Fix infinite loop in WPA state machine when out of random bytes

When the OS is out of random bytes in SM_STATE(WPA_PTK, AUTHENTICATION2)
in ap/wpa_auth.c, hostapd sends the sm to state DISCONNECT without
clearing ReAuthenticationRequest, resulting in an infinite loop.
Clearing sm->ReAuthenticationRequest using gdb fixes the running hostapd
instance for me. Also sm->Disconnect = TRUE should be used instead of
wpa_sta_disconnect() to make sure that the incomplete ANonce does not
get used.

Fix this issue by resetting sm->ReAuthenticationRequest even if the STA
gets disconnected and use sm->Disconnect instead of
wpa_sta_disconnect().

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index fa4b1cb398e6d66e2fcc1f93bf4febb483b6907c..4f1f6fbc18b0e4894855d685ea1dc8fd3076ebce 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1598,6 +1598,7 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
        SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
 
        wpa_group_ensure_init(sm->wpa_auth, sm->group);
+       sm->ReAuthenticationRequest = FALSE;
 
        /*
         * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
@@ -1611,12 +1612,11 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
        if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
                wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
                           "ANonce.");
-               wpa_sta_disconnect(sm->wpa_auth, sm->addr);
+               sm->Disconnect = TRUE;
                return;
        }
        wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
                    WPA_NONCE_LEN);
-       sm->ReAuthenticationRequest = FALSE;
        /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
         * logical place than INITIALIZE since AUTHENTICATION2 can be
         * re-entered on ReAuthenticationRequest without going through