WPS: Fix STA state validation when processing PutWLANResponse

It is possible for an ER to send an unexpected PutWLANResponse action
when the destination STA is in disassociated, but not fully
deauthenticated state. sta->eapol_sm can be NULL in such state and as
such, it would be possible to hit a NULL pointer dereference in the
eapol_auth_eap_pending_cb() call at the end of the
hostapd_wps_probe_req_rx() when trying to proxy the WPS message to the
station. Fix this by validating that sta->eapol_sm is set before
processing the message.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 8aafa639ed339137d2838558f632a8e7dc90195f..3a40125b8627fa54b659ea3a07d96a584da22909 100644 (file)
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -1479,6 +1479,16 @@ static int hostapd_rx_req_put_wlan_response(
                return 0;
        }
 
+       if (!sta->eapol_sm) {
+               /*
+                * This can happen, e.g., if an ER sends an extra message after
+                * the station has disassociated (but not fully
+                * deauthenticated).
+                */
+               wpa_printf(MSG_DEBUG, "WPS UPnP: Matching STA did not have EAPOL state machine initialized");
+               return 0;
+       }
+
        p = os_zalloc(sizeof(*p));
        if (p == NULL)
                return -1;