aboutsummaryrefslogtreecommitdiffstats
path: root/src/ap/wpa_auth_glue.c
diff options
context:
space:
mode:
authorMichael Braun <michael-dev@fami-braun.de>2016-02-24 11:53:25 (GMT)
committerJouni Malinen <j@w1.fi>2016-02-28 15:45:45 (GMT)
commit71456dbdf2f9eddbf7bde4b316fe1309b26ff995 (patch)
treee20aae57b4550ac43ab3d8e4894c9671285da1a1 /src/ap/wpa_auth_glue.c
parent0270bdedccb9a5165668db2cf39292f9e81cc352 (diff)
downloadhostap-71456dbdf2f9eddbf7bde4b316fe1309b26ff995.zip
hostap-71456dbdf2f9eddbf7bde4b316fe1309b26ff995.tar.gz
hostap-71456dbdf2f9eddbf7bde4b316fe1309b26ff995.tar.bz2
FT: Check hapd->wpa_auth before RRB internal delivery
A malicious station could try to do FT-over-DS with a non WPA-enabled BSS. When this BSS is located in the same hostapd instance, internal RRB delivery will be used and thus the FT Action Frame will be processed by a non-WPA enabled BSS. This processing used to crash hostapd as hapd->wpa_auth is NULL. If the target BSS is on a different hostapd instance, it will not listen for these packets and thus not crash. Fix this by checking hapd->wpa_auth before delivery. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Diffstat (limited to 'src/ap/wpa_auth_glue.c')
-rw-r--r--src/ap/wpa_auth_glue.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index ffd0790..fb830e9 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -413,6 +413,8 @@ static int hostapd_wpa_auth_ft_iter(struct hostapd_iface *iface, void *ctx)
hapd = iface->bss[j];
if (hapd == idata->src_hapd)
continue;
+ if (!hapd->wpa_auth)
+ continue;
if (os_memcmp(hapd->own_addr, idata->dst, ETH_ALEN) == 0) {
wpa_printf(MSG_DEBUG, "FT: Send RRB data directly to "
"locally managed BSS " MACSTR "@%s -> "