DPP2: Fix hostapd crash setting global configurator params on chirp RX

When a Presence Announcement frame is received, a check is done to
ensure an ongoing auth is not in progress (!hapd->dpp_auth). A new DPP
auth is then initialized, however, when setting global configurator
params for it, the hapd->dpp_auth pointer is used which was earlier
confirmed as NULL, causing a crash in dpp_set_configurator params when
the pointer is dereferenced.

This only occurs when there are global DPP configurator params to be set
and the peer has no overriding configurator params. If no global DPP
configurator params exist, the call to dpp_set_configurator exits early
and the problem is not observed.

Fix by using the newly init'ed DPP auth structure for setting global
DPP configurator params.

Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>

diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c
index 15aa82b8591c256ed59ad90f5bf707774bc2a79e..2a28239e10e002cf7b806a4fd6922cda37ebae91 100644 (file)
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@@ -1249,8 +1249,8 @@ hostapd_dpp_rx_presence_announcement(struct hostapd_data *hapd, const u8 *src,
                             0);
        if (!auth)
                return;
-       hostapd_dpp_set_testing_options(hapd, hapd->dpp_auth);
-       if (dpp_set_configurator(hapd->dpp_auth,
+       hostapd_dpp_set_testing_options(hapd, auth);
+       if (dpp_set_configurator(auth,
                                 hapd->dpp_configurator_params) < 0) {
                dpp_auth_deinit(auth);
                return;