Check need for SA Query/assoc comeback before updating RSNE parameters

wpa_validate_wpa_ie() might update sm->* values, so it should not be
allowed for an existing STA entry if that STA has negotiated MFP to be
used for the association. Fix this by first checking whether an SA Query
procedure needs to be initiated. In particular, this prevents a
potential bypass of the disconnection protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 6c1e61137006745053fe939b065f6bd538a601a0..00d3f97123e9b9d61a84ebe19fee4e5fe001bcf7 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -340,6 +340,16 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
                }
 #endif /* CONFIG_WPS */
 
+               if (check_sa_query_need(hapd, sta)) {
+                       status = WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
+
+                       p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
+
+                       hostapd_sta_assoc(hapd, addr, reassoc, status, buf,
+                                         p - buf);
+                       return 0;
+               }
+
                if (sta->wpa_sm == NULL)
                        sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth,
                                                        sta->addr,
@@ -420,16 +430,6 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
                        goto fail;
                }
 
-               if (check_sa_query_need(hapd, sta)) {
-                       status = WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
-
-                       p = hostapd_eid_assoc_comeback_time(hapd, sta, p);
-
-                       hostapd_sta_assoc(hapd, addr, reassoc, status, buf,
-                                         p - buf);
-                       return 0;
-               }
-
                if (wpa_auth_uses_mfp(sta->wpa_sm))
                        sta->flags |= WLAN_STA_MFP;
                else

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 394e292bdd813c0a45c122c6f874997d95b198bf..e1818ece2fe8649d08f23bfae08aed1e9e731058 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4629,6 +4629,9 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
        if (hapd->conf->wpa && wpa_ie) {
                enum wpa_validate_result res;
 
+               if (check_sa_query(hapd, sta, reassoc))
+                       return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
+
                wpa_ie -= 2;
                wpa_ie_len += 2;
                if (sta->wpa_sm == NULL)
@@ -4652,9 +4655,6 @@ static int check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
                if (resp != WLAN_STATUS_SUCCESS)
                        return resp;
 
-               if (check_sa_query(hapd, sta, reassoc))
-                       return WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY;
-
                if (wpa_auth_uses_mfp(sta->wpa_sm))
                        sta->flags |= WLAN_STA_MFP;
                else