aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2005-05-30 01:40:12 (GMT)
committerJouni Malinen <j@w1.fi>2005-05-30 01:40:12 (GMT)
commitc45b000fcc0f9d796d115228fab548b3c0ddf25c (patch)
tree5d192372bd7cc5bb62852f81d081f14798a5cefc
parent943c8960ac4c4695ad57a3214fbc862d2c3f32f8 (diff)
downloadhostap-history-c45b000fcc0f9d796d115228fab548b3c0ddf25c.zip
hostap-history-c45b000fcc0f9d796d115228fab548b3c0ddf25c.tar.gz
hostap-history-c45b000fcc0f9d796d115228fab548b3c0ddf25c.tar.bz2
Merged from CVS trunk into hostap_0_3_branch:
PatchSet 2636 Date: 2005/05/29 20:34:41 Author: jm Branch: HEAD Tag: (none) Log: Fixed a potential issue in RSN pre-authentication ending up using freed memory if pre-authentication times out. eapol_port_timers_tick() was calling eapol_sm_step() which in turn called cb() handler and that function could end up freeing the EAPOL state machine. However, eapol_port_timers_tick() registered a new timeout for the same state machine after this. Reordering eloop_register_timeout() and eapol_sm_step() calls fixes this since now eapol_sm_deinit() will end up canceling the timeout and no new timeout is registered after the state machine has been freed. Members: wpa_supplicant/eapol_sm.c:1.53->1.54 Note: This does not really happen with 0.3.x in practice since pre-authentication timeout aborts the authentication before EAPOL state machine moves to AUTHENTICATED state (4 x 30 sec).
-rw-r--r--wpa_supplicant/eapol_sm.c25
1 files changed, 5 insertions, 20 deletions
diff --git a/wpa_supplicant/eapol_sm.c b/wpa_supplicant/eapol_sm.c
index c19eb99..1424b7d 100644
--- a/wpa_supplicant/eapol_sm.c
+++ b/wpa_supplicant/eapol_sm.c
@@ -194,9 +194,8 @@ static void eapol_port_timers_tick(void *eloop_ctx, void *timeout_ctx)
"heldWhile=%d startWhen=%d idleWhile=%d",
sm->authWhile, sm->heldWhile, sm->startWhen, sm->idleWhile);
- eapol_sm_step(sm);
-
eloop_register_timeout(1, 0, eapol_port_timers_tick, eloop_ctx, sm);
+ eapol_sm_step(sm);
}
@@ -1028,29 +1027,18 @@ int eapol_sm_get_mib(struct eapol_sm *sm, char *buf, size_t buflen)
}
-/**
- * eapol_sm_rx_eapol - process received EAPOL frames
- * @wpa_s: pointer to wpa_supplicant data
- * @src_addr: source MAC address of the EAPOL packet
- * @buf: pointer to the beginning of the EAPOL data (EAPOL header)
- * @len: length of the EAPOL frame
- *
- * Returns: 1 = EAPOL frame processed, 0 = not for EAPOL state machine,
- * -1 failure
- */
-int eapol_sm_rx_eapol(struct eapol_sm *sm, u8 *src, u8 *buf, size_t len)
+void eapol_sm_rx_eapol(struct eapol_sm *sm, u8 *src, u8 *buf, size_t len)
{
struct ieee802_1x_hdr *hdr;
struct ieee802_1x_eapol_key *key;
int plen, data_len;
- int res = 1;
if (sm == NULL)
- return 0;
+ return;
sm->dot1xSuppEapolFramesRx++;
if (len < sizeof(*hdr)) {
sm->dot1xSuppInvalidEapolFramesRx++;
- return 0;
+ return;
}
hdr = (struct ieee802_1x_hdr *) buf;
sm->dot1xSuppLastEapolFrameVersion = hdr->version;
@@ -1061,7 +1049,7 @@ int eapol_sm_rx_eapol(struct eapol_sm *sm, u8 *src, u8 *buf, size_t len)
plen = be_to_host16(hdr->length);
if (plen > len - sizeof(*hdr)) {
sm->dot1xSuppEapLengthErrorFramesRx++;
- return 0;
+ return;
}
data_len = plen + sizeof(*hdr);
@@ -1098,7 +1086,6 @@ int eapol_sm_rx_eapol(struct eapol_sm *sm, u8 *src, u8 *buf, size_t len)
/* WPA Supplicant takes care of this frame. */
wpa_printf(MSG_DEBUG, "EAPOL: Ignoring WPA EAPOL-Key "
"frame in EAPOL state machines");
- res = 0;
break;
}
if (key->type != EAPOL_KEY_TYPE_RC4) {
@@ -1123,8 +1110,6 @@ int eapol_sm_rx_eapol(struct eapol_sm *sm, u8 *src, u8 *buf, size_t len)
sm->dot1xSuppInvalidEapolFramesRx++;
break;
}
-
- return res;
}