From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Date: Sun, 25 Jan 2026 18:05:01 +0000 (+0200)
Subject: AP MLD: Cover wpa_sm clearing in authentication handling for ML STA
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a2437d80bfaa4a16333af8bec5db764a6d17c9e;p=thirdparty%2Fhostap.git

AP MLD: Cover wpa_sm clearing in authentication handling for ML STA

Clearing of wpa_sm for non-ML STAs ended up with possibility for a
previously generated ML STA entry to free sta->wpa_sm on one of the
links while leaving the other links potentially pointing to the freed
wpa_sm. Fix that by reordering code to allow the STA entry to be marked
to be for a non-AP MLD before calling
clear_wpa_sm_for_each_partner_link().

Fixes: 9603a83a1e3f ("AP MLD: Avoid reusing ML wpa state machine for non-ML STA")
Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index bf38537e2..47e5d3a5d 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3574,12 +3574,6 @@ static void handle_auth(struct hostapd_data *hapd,
 	if (!sta->added_unassoc && auth_transaction == 1) {
 		ap_sta_free_sta_profile(&sta->mld_info);
 		os_memset(&sta->mld_info, 0, sizeof(sta->mld_info));
-		if ((!(sta->flags & WLAN_STA_MFP) ||
-		     !ap_sta_is_authorized(sta)) && sta->wpa_sm) {
-			wpa_auth_sta_deinit(sta->wpa_sm);
-			sta->wpa_sm = NULL;
-			clear_wpa_sm_for_each_partner_link(hapd, sta);
-		}
 
 		if (mld_sta) {
 			u8 link_id = hapd->mld_link_id;
@@ -3598,6 +3592,13 @@ static void handle_auth(struct hostapd_data *hapd,
 			os_memcpy(sta->mld_info.links[link_id].local_addr,
 				  hapd->own_addr, ETH_ALEN);
 		}
+
+		if ((!(sta->flags & WLAN_STA_MFP) ||
+		     !ap_sta_is_authorized(sta)) && sta->wpa_sm) {
+			wpa_auth_sta_deinit(sta->wpa_sm);
+			sta->wpa_sm = NULL;
+			clear_wpa_sm_for_each_partner_link(hapd, sta);
+		}
 	}
 #endif /* CONFIG_IEEE80211BE */