FT: Check hapd->wpa_auth before RRB internal delivery

A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.

Fix this by checking hapd->wpa_auth before delivery.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index ffd0790fe94985f263a9efce6cba9893981a8890..fb830e9187761b54b098ee95a5e99ae780d8abbc 100644 (file)
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -413,6 +413,8 @@ static int hostapd_wpa_auth_ft_iter(struct hostapd_iface *iface, void *ctx)
                hapd = iface->bss[j];
                if (hapd == idata->src_hapd)
                        continue;
+               if (!hapd->wpa_auth)
+                       continue;
                if (os_memcmp(hapd->own_addr, idata->dst, ETH_ALEN) == 0) {
                        wpa_printf(MSG_DEBUG, "FT: Send RRB data directly to "
                                   "locally managed BSS " MACSTR "@%s -> "