From 82a348eda46bed273eafbb94d7956a01117f0b2d Mon Sep 17 00:00:00 2001 From: Andrei Otcheretianski Date: Sun, 7 Mar 2021 23:40:01 +0200 Subject: [PATCH] wpa_supplicant: Don't process EAPOL frames while disconnecting An EAPOL frame may be pending when wpa_supplicant requests to deauthenticate. At this stage the EAP SM cache is already cleaned by calling eapol_sm_invalidate_cached_session(). Since at this stage the wpa_supplicant's state is still set to associated, the EAPOL frame is processed and results in a crash due to NULL dereference. This wasn't seen previously as nl80211 wouldn't process the NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would set the valid_handler to NULL. This behavior was changed in commit ab89291928fa exposing this race. Fix it by ignoring EAPOL frames while the deauthentication is in progress. Fixes: ab89291928fa ("nl80211: Use process_bss_event() for the nl_connect handler") Signed-off-by: Andrei Otcheretianski --- wpa_supplicant/wpa_supplicant.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 6a02ed7c5..90e8a466a 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -4773,6 +4773,12 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr, wpa_dbg(wpa_s, MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr)); wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len); + if (wpa_s->own_disconnect_req) { + wpa_printf(MSG_DEBUG, + "Drop received EAPOL frame as we are disconnecting"); + return; + } + #ifdef CONFIG_TESTING_OPTIONS if (wpa_s->ignore_auth_resp) { wpa_printf(MSG_INFO, "RX EAPOL - ignore_auth_resp active!"); -- 2.47.2