Disconnect STA on continuous EAP reauth without 4-way handshake completion

It could have been possible to get into an endless loop of retried EAP
authentication followed by failing or not completed 4-way handshake if
there was a different interpretation of EAP authentication result
(success on AP, failure on STA). Avoid this by limiting the number of
consecutive EAPOL reauth attempts without completing the following 4-way
handshake.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 7da102e908efc783946245bc971b428dcf93d4f2..0cf603c109a17cf6d04551cc9ca5c5b704d1bdd6 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1850,6 +1850,14 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
                        break;
                }
 
+               if (sm->ptkstart_without_success > 3) {
+                       wpa_printf(MSG_INFO,
+                                  "WPA: Multiple EAP reauth attempts without 4-way handshake completion, disconnect "
+                                  MACSTR, MAC2STR(sm->addr));
+                       sm->Disconnect = true;
+                       break;
+               }
+
                if (!sm->use_ext_key_id &&
                    sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
                        wpa_printf(MSG_INFO,
@@ -2192,6 +2200,7 @@ SM_STATE(WPA_PTK, PTKSTART)
        sm->PTKRequest = false;
        sm->TimeoutEvt = false;
        sm->alt_snonce_valid = false;
+       sm->ptkstart_without_success++;
 
        sm->TimeoutCtr++;
        if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
@@ -3721,6 +3730,8 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 #ifdef CONFIG_IEEE80211R_AP
        wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
 #endif /* CONFIG_IEEE80211R_AP */
+
+       sm->ptkstart_without_success = 0;
 }
 
 

diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
index 7e93e5ab8c8b935124ef20f75894b2e2b0da84ae..17cb5a2e97711d909b18b5af26149810f838203b 100644 (file)
--- a/src/ap/wpa_auth_i.h
+++ b/src/ap/wpa_auth_i.h
@@ -97,6 +97,8 @@ struct wpa_state_machine {
        unsigned int is_wnmsleep:1;
        unsigned int pmkid_set:1;
 
+       unsigned int ptkstart_without_success;
+
 #ifdef CONFIG_OCV
        int ocv_enabled;
 #endif /* CONFIG_OCV */