From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Date: Sun, 7 Mar 2021 21:40:01 +0000 (+0200)
Subject: wpa_supplicant: Don't process EAPOL frames while disconnecting
X-Git-Tag: hostap_2_10~436
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82a348eda46bed273eafbb94d7956a01117f0b2d;p=thirdparty%2Fhostap.git

wpa_supplicant: Don't process EAPOL frames while disconnecting

An EAPOL frame may be pending when wpa_supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL frame is
processed and results in a crash due to NULL dereference.

This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in commit
ab89291928fa exposing this race.

Fix it by ignoring EAPOL frames while the deauthentication is in
progress.

Fixes: ab89291928fa ("nl80211: Use process_bss_event() for the nl_connect handler")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 6a02ed7c5..90e8a466a 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -4773,6 +4773,12 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr,
 	wpa_dbg(wpa_s, MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr));
 	wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len);
 
+	if (wpa_s->own_disconnect_req) {
+		wpa_printf(MSG_DEBUG,
+			   "Drop received EAPOL frame as we are disconnecting");
+		return;
+	}
+
 #ifdef CONFIG_TESTING_OPTIONS
 	if (wpa_s->ignore_auth_resp) {
 		wpa_printf(MSG_INFO, "RX EAPOL - ignore_auth_resp active!");