From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Mon, 22 Jan 2024 11:59:03 +0000 (+0200)
Subject: DPP: Avoid a potential use-after-free on an error path in AP
X-Git-Tag: hostap_2_11~440
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c90c8d24e741fcd26bf252dea0bb4c1a9c88a54;p=thirdparty%2Fhostap.git

DPP: Avoid a potential use-after-free on an error path in AP

The TX status handler for DPP Authentication Confirm message might have
resulted in use-after-free if the start of a GAS query were to fail,
e.g., due to being somehow unable to transmit the initial request. Avoid
this by explicitly confirming that the authentication session was not
removed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c
index 812d21afd..3f89bc20c 100644
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@@ -539,8 +539,15 @@ void hostapd_dpp_tx_status(struct hostapd_data *hapd, const u8 *dst,
 		return;
 	}
 
-	if (hapd->dpp_auth_ok_on_ack)
+	if (hapd->dpp_auth_ok_on_ack) {
 		hostapd_dpp_auth_success(hapd, 1);
+		if (!hapd->dpp_auth) {
+			/* The authentication session could have been removed in
+			 * some error cases, e.g., when starting GAS client and
+			 * failing to send the initial request. */
+			return;
+		}
+	}
 
 	if (!is_broadcast_ether_addr(dst) && !ok) {
 		wpa_printf(MSG_DEBUG,