WPS: Fix a race condition on WPS_CANCEL handling

If the WPS_CANCEL command were issued between the driver command
requesting association and the driver event indicating completion of
association, i.e., within the WPA_ASSOCIATING state, it was possible for
the association to continue and the WPS procedure to be completed after
this.

Address this by forcing deauthentication and WPS state clearing also in
the WPS_ASSOCIATING state and not only if the association has been
completed.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 7b9cf7f9e510d5500d4593b23bc83b09d4af8b8f..d332f000c32b4e141da2a7abeef9dc23f30f7a83 100644 (file)
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1375,7 +1375,7 @@ int wpas_wps_cancel(struct wpa_supplicant *wpa_s)
                wpa_printf(MSG_DEBUG, "WPS: Cancel operation - cancel scan");
                wpa_supplicant_cancel_scan(wpa_s);
                wpas_clear_wps(wpa_s);
-       } else if (wpa_s->wpa_state >= WPA_ASSOCIATED) {
+       } else if (wpa_s->wpa_state >= WPA_ASSOCIATING) {
                wpa_printf(MSG_DEBUG, "WPS: Cancel operation - "
                           "deauthenticate");
                wpa_s->own_disconnect_req = 1;