From: Vinay Gannevaram <quic_vganneva@quicinc.com>
Date: Fri, 11 Nov 2022 18:45:36 +0000 (+0530)
Subject: PASN: Fix passing own address and peer address to pasn_deauthenticate()
X-Git-Tag: hostap_2_11~1491
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86ab282170a110b1080aca0d019be7629052e8c2;p=thirdparty%2Fhostap.git

PASN: Fix passing own address and peer address to pasn_deauthenticate()

Need to copy own address and peer address locally and pass them to
pasn_deauthenticate(), because this pointer data will be flushed from
the PTKSA cache before sending the Deauthentication frame and these
pointers to then-freed memory would be dereferenced.

Fixes: 24929543 ("PASN: Deauthenticate on PTKSA cache entry expiration")
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
---

diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index a8d4e919b..fbef7f2df 100644
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -781,8 +781,14 @@ static int wpas_pasn_immediate_retry(struct wpa_supplicant *wpa_s,
 static void wpas_pasn_deauth_cb(struct ptksa_cache_entry *entry)
 {
 	struct wpa_supplicant *wpa_s = entry->ctx;
+	u8 own_addr[ETH_ALEN];
+	u8 peer_addr[ETH_ALEN];
 
-	wpas_pasn_deauthenticate(wpa_s, entry->own_addr, entry->addr);
+	/* Use a copy of the addresses from the entry to avoid issues with the
+	 * entry getting freed during deauthentication processing. */
+	os_memcpy(own_addr, entry->own_addr, ETH_ALEN);
+	os_memcpy(peer_addr, entry->addr, ETH_ALEN);
+	wpas_pasn_deauthenticate(wpa_s, own_addr, peer_addr);
 }