From: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Date: Thu, 11 May 2023 18:43:02 +0000 (-0700)
Subject: Do prune_association only after the STA is authorized
X-Git-Tag: hostap_2_11~1172
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e978072baaca886943c391b9a99066771ddc01a8;p=thirdparty%2Fhostap.git

Do prune_association only after the STA is authorized

Prune-associations should be done only after the new station is
authorized. Otherwise any STA can cause denial of service to connected
stations in PMF case when more than a single interface is being
controlled by the same hostapd process.

Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
---

diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index ef8800c8c..112e6fad3 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -3339,7 +3339,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
 		return;
 	}
 
-	hostapd_prune_associations(hapd, sta->addr);
 	ap_sta_clear_disconnect_timeouts(hapd, sta);
 	sta->post_csa_sa_query = 0;
 
diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 0897bcda4..4eb41528e 100644
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -1280,10 +1280,12 @@ void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta,
 	if (!!authorized == !!(sta->flags & WLAN_STA_AUTHORIZED))
 		return;
 
-	if (authorized)
+	if (authorized) {
+		hostapd_prune_associations(hapd, sta->addr);
 		sta->flags |= WLAN_STA_AUTHORIZED;
-	else
+	} else {
 		sta->flags &= ~WLAN_STA_AUTHORIZED;
+	}
 
 #ifdef CONFIG_P2P
 	if (hapd->p2p_group == NULL) {