PASN: Fix passing own address and peer address to pasn_deauthenticate()

Need to copy own address and peer address locally and pass them to
pasn_deauthenticate(), because this pointer data will be flushed from
the PTKSA cache before sending the Deauthentication frame and these
pointers to then-freed memory would be dereferenced.

Fixes: 24929543 ("PASN: Deauthenticate on PTKSA cache entry expiration")
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>

diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index a8d4e919bb529f3f3281d75bdbb510e71fb05483..fbef7f2dff98fd42834863a131a4a918f886c66d 100644 (file)
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -781,8 +781,14 @@ static int wpas_pasn_immediate_retry(struct wpa_supplicant *wpa_s,
 static void wpas_pasn_deauth_cb(struct ptksa_cache_entry *entry)
 {
        struct wpa_supplicant *wpa_s = entry->ctx;
+       u8 own_addr[ETH_ALEN];
+       u8 peer_addr[ETH_ALEN];
 
-       wpas_pasn_deauthenticate(wpa_s, entry->own_addr, entry->addr);
+       /* Use a copy of the addresses from the entry to avoid issues with the
+        * entry getting freed during deauthentication processing. */
+       os_memcpy(own_addr, entry->own_addr, ETH_ALEN);
+       os_memcpy(peer_addr, entry->addr, ETH_ALEN);
+       wpas_pasn_deauthenticate(wpa_s, own_addr, peer_addr);
 }