Do not start SA Query procedure without keys

The AP mode condition for initiating the SA Query procedure when
receiving a new (Re)Association Request frame used only association
state and MFP negotiation result without checking that the key exchange
has been completed. This can give rise to a corner case where the SA
Query procedure may get started after open association but before the
4-way handshake has been completed, resulting in open SA query frames
over the air.

Fix this by adding station authorized check in hostapd_notif_assoc() and
check_assoc_ies().

Signed-off-by: Rohan <drohan@codeaurora.org>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 9faac0ddc396d17433f543813302456e360ae879..a8b339f58df7ae1dbdf0ade17ce8ec11b16868fd 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -388,13 +388,15 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
                        goto fail;
                }
 
-               if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
-                   (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
+               if ((sta->flags &
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
                    !sta->sa_query_timed_out &&
                    sta->sa_query_count > 0)
                        ap_check_sa_query_timeout(hapd, sta);
-               if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
-                   (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
+               if ((sta->flags &
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
                    !sta->sa_query_timed_out &&
                    (sta->auth_alg != WLAN_AUTH_FT)) {
                        /*

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 13431d5672d6a4bf27fa14812ad7cac5aba9ce80..e3a9cbee90040b5cef1bcb40ff3cb230a4463234 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3328,13 +3328,15 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
                resp = wpa_res_to_status_code(res);
                if (resp != WLAN_STATUS_SUCCESS)
                        return resp;
-               if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
-                   (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
+               if ((sta->flags &
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
                    !sta->sa_query_timed_out &&
                    sta->sa_query_count > 0)
                        ap_check_sa_query_timeout(hapd, sta);
-               if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_MFP)) ==
-                   (WLAN_STA_ASSOC | WLAN_STA_MFP) &&
+               if ((sta->flags &
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED)) ==
+                   (WLAN_STA_ASSOC | WLAN_STA_MFP | WLAN_STA_AUTHORIZED) &&
                    !sta->sa_query_timed_out &&
                    (!reassoc || sta->auth_alg != WLAN_AUTH_FT)) {
                        /*