git.ipfire.org Git - thirdparty/hostap.git/commit

author	Benjamin Berg <benjamin.berg@intel.com>
	Thu, 7 Aug 2025 11:25:57 +0000 (13:25 +0200)
committer	Jouni Malinen <j@w1.fi>
	Mon, 6 Oct 2025 20:40:05 +0000 (23:40 +0300)
commit	f5790e97cd646c5bf9ad9728970413b1b43086ea
tree	d09dfa75e345f11d4f4ccc749478df60ee1d2342	tree \| snapshot
parent	274d5014bd5016f72ccb19ddc8b696bb1a4364d1	commit \| diff

nl80211: Delay event processing during command handling

Unrelated nl80211 events may arrive while the driver is waiting for the
confirmation of another command. These events must not be delivered
immediately as they may confuse the internal state machine. They also
must be delivered, but some commands would cause them to be dropped.

Fix this up by queuing all events for later processing. Note that this
code is not very elegant as libnl does not export the nl_cb_call()
function. Add a hook into the two relevant functions that process
events. This hook will forward command replies to the correct handler
and queue the event if they should not be processed immediately.

Note that in a lot of cases this cannot happen because different nl80211
sockets are used for different purposes. However, the EAPOL frames
specifically have to be delivered over the same socket that all
connection related commands are done. So for these notifications the
race condition can happen and could cause a state confusion in
wpa_supplicant.

An example of this happening was observed in the autogo_pbc test where
wpa_supplicant would initiate a deauth and during that time also handle
an EAPOL frame that itself caused another deauthentication. This
resulted in a double free of wpa_s->current_ssid.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>

src/drivers/driver_nl80211.c		diff \| blob \| blame \| history
src/drivers/driver_nl80211.h		diff \| blob \| blame \| history
src/drivers/driver_nl80211_event.c		diff \| blob \| blame \| history
tests/hwsim/test_cfg80211.py		diff \| blob \| blame \| history