DPP3: Fix potential use-after-free on push button bootstrap info

When removing the bootstrap info for the PB context, all the possible
pointers to that information needs to be cleared to avoid accesses to
freed memory.

Fixes: 37bccfcab854 ("DPP3: Push button bootstrap mechanism")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 01836cdf2a24291fd27e5378e20e02878d51174e..f2f7f0dbd3050afbbd67cac74e1e5dd13dc157be 100644 (file)
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -4542,6 +4542,7 @@ static void hostapd_ctrl_iface_flush(struct hapd_interfaces *interfaces)
 #ifdef CONFIG_DPP
        dpp_global_clear(interfaces->dpp);
 #ifdef CONFIG_DPP3
+       interfaces->dpp_pb_bi = NULL;
        {
                int i;
 

diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c
index 2813155b967273e9feb9dd5e685ae2f6047624d0..812d21afdbd20ed1952afbbdd74ca1552cbb547d 100644 (file)
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@@ -3955,11 +3955,25 @@ void hostapd_dpp_push_button_stop(struct hostapd_data *hapd)
        ifaces->dpp_pb_time.usec = 0;
        dpp_pkex_free(hapd->dpp_pkex);
        hapd->dpp_pkex = NULL;
+       hapd->dpp_pkex_bi = NULL;
        os_free(hapd->dpp_pkex_auth_cmd);
        hapd->dpp_pkex_auth_cmd = NULL;
 
        if (ifaces->dpp_pb_bi) {
                char id[20];
+               size_t i;
+
+               for (i = 0; i < ifaces->count; i++) {
+                       struct hostapd_iface *iface = ifaces->iface[i];
+                       size_t j;
+
+                       for (j = 0; iface && j < iface->num_bss; j++) {
+                               struct hostapd_data *h = iface->bss[j];
+
+                               if (h->dpp_pkex_bi == ifaces->dpp_pb_bi)
+                                       h->dpp_pkex_bi = NULL;
+                       }
+               }
 
                os_snprintf(id, sizeof(id), "%u", ifaces->dpp_pb_bi->id);
                dpp_bootstrap_remove(ifaces->dpp, id);

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index 21ad685f2ae0198a4d8278f3251e5b2614bdb678..d3a96ac0c2ab70bfb18e46abb5bbeafdcb40b449 100644 (file)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -5665,6 +5665,8 @@ void wpas_dpp_push_button_stop(struct wpa_supplicant *wpa_s)
        if (wpa_s->dpp_pb_bi) {
                char id[20];
 
+               if (wpa_s->dpp_pb_bi == wpa_s->dpp_pkex_bi)
+                       wpa_s->dpp_pkex_bi = NULL;
                os_snprintf(id, sizeof(id), "%u", wpa_s->dpp_pb_bi->id);
                dpp_bootstrap_remove(wpa_s->dpp, id);
                wpa_s->dpp_pb_bi = NULL;