From: Jouni Malinen <j@w1.fi>
Date: Fri, 27 Dec 2024 21:49:57 +0000 (+0200)
Subject: WPS: Fix a race condition on WPS_CANCEL handling
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84c9040933b45c331e620d4a6b1832e27e4aa733;p=thirdparty%2Fhostap.git

WPS: Fix a race condition on WPS_CANCEL handling

If the WPS_CANCEL command were issued between the driver command
requesting association and the driver event indicating completion of
association, i.e., within the WPA_ASSOCIATING state, it was possible for
the association to continue and the WPS procedure to be completed after
this.

Address this by forcing deauthentication and WPS state clearing also in
the WPS_ASSOCIATING state and not only if the association has been
completed.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 7b9cf7f9e..d332f000c 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1375,7 +1375,7 @@ int wpas_wps_cancel(struct wpa_supplicant *wpa_s)
 		wpa_printf(MSG_DEBUG, "WPS: Cancel operation - cancel scan");
 		wpa_supplicant_cancel_scan(wpa_s);
 		wpas_clear_wps(wpa_s);
-	} else if (wpa_s->wpa_state >= WPA_ASSOCIATED) {
+	} else if (wpa_s->wpa_state >= WPA_ASSOCIATING) {
 		wpa_printf(MSG_DEBUG, "WPS: Cancel operation - "
 			   "deauthenticate");
 		wpa_s->own_disconnect_req = 1;