From: Michael Braun Date: Wed, 24 Feb 2016 11:53:25 +0000 (+0100) Subject: FT: Check hapd->wpa_auth before RRB internal delivery X-Git-Tag: hostap_2_6~801 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71456dbdf2f9eddbf7bde4b316fe1309b26ff995;p=thirdparty%2Fhostap.git FT: Check hapd->wpa_auth before RRB internal delivery A malicious station could try to do FT-over-DS with a non WPA-enabled BSS. When this BSS is located in the same hostapd instance, internal RRB delivery will be used and thus the FT Action Frame will be processed by a non-WPA enabled BSS. This processing used to crash hostapd as hapd->wpa_auth is NULL. If the target BSS is on a different hostapd instance, it will not listen for these packets and thus not crash. Fix this by checking hapd->wpa_auth before delivery. Signed-off-by: Michael Braun --- diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index ffd0790fe..fb830e918 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -413,6 +413,8 @@ static int hostapd_wpa_auth_ft_iter(struct hostapd_iface *iface, void *ctx) hapd = iface->bss[j]; if (hapd == idata->src_hapd) continue; + if (!hapd->wpa_auth) + continue; if (os_memcmp(hapd->own_addr, idata->dst, ETH_ALEN) == 0) { wpa_printf(MSG_DEBUG, "FT: Send RRB data directly to " "locally managed BSS " MACSTR "@%s -> "