From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Wed, 19 Feb 2014 21:51:55 +0000 (+0200)
Subject: WPS: Fix STA state validation when processing PutWLANResponse
X-Git-Tag: hostap_2_2~836
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d87a6acdf5aedec3fe6e1f19ce3c84f1741c2bf7;p=thirdparty%2Fhostap.git

WPS: Fix STA state validation when processing PutWLANResponse

It is possible for an ER to send an unexpected PutWLANResponse action
when the destination STA is in disassociated, but not fully
deauthenticated state. sta->eapol_sm can be NULL in such state and as
such, it would be possible to hit a NULL pointer dereference in the
eapol_auth_eap_pending_cb() call at the end of the
hostapd_wps_probe_req_rx() when trying to proxy the WPS message to the
station. Fix this by validating that sta->eapol_sm is set before
processing the message.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 8aafa639e..3a40125b8 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -1479,6 +1479,16 @@ static int hostapd_rx_req_put_wlan_response(
 		return 0;
 	}
 
+	if (!sta->eapol_sm) {
+		/*
+		 * This can happen, e.g., if an ER sends an extra message after
+		 * the station has disassociated (but not fully
+		 * deauthenticated).
+		 */
+		wpa_printf(MSG_DEBUG, "WPS UPnP: Matching STA did not have EAPOL state machine initialized");
+		return 0;
+	}
+
 	p = os_zalloc(sizeof(*p));
 	if (p == NULL)
 		return -1;