FT: Check hapd->wpa_auth before RRB internal delivery
A malicious station could try to do FT-over-DS with a non WPA-enabled BSS. When this BSS is located in the same hostapd instance, internal RRB delivery will be used and thus the FT Action Frame will be processed by a non-WPA enabled BSS. This processing used to crash hostapd as hapd->wpa_auth is NULL. If the target BSS is on a different hostapd instance, it will not listen for these packets and thus not crash. Fix this by checking hapd->wpa_auth before delivery. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This commit is contained in:
parent
0270bdedcc
commit
71456dbdf2
1 changed files with 2 additions and 0 deletions
|
@ -413,6 +413,8 @@ static int hostapd_wpa_auth_ft_iter(struct hostapd_iface *iface, void *ctx)
|
||||||
hapd = iface->bss[j];
|
hapd = iface->bss[j];
|
||||||
if (hapd == idata->src_hapd)
|
if (hapd == idata->src_hapd)
|
||||||
continue;
|
continue;
|
||||||
|
if (!hapd->wpa_auth)
|
||||||
|
continue;
|
||||||
if (os_memcmp(hapd->own_addr, idata->dst, ETH_ALEN) == 0) {
|
if (os_memcmp(hapd->own_addr, idata->dst, ETH_ALEN) == 0) {
|
||||||
wpa_printf(MSG_DEBUG, "FT: Send RRB data directly to "
|
wpa_printf(MSG_DEBUG, "FT: Send RRB data directly to "
|
||||||
"locally managed BSS " MACSTR "@%s -> "
|
"locally managed BSS " MACSTR "@%s -> "
|
||||||
|
|
Loading…
Reference in a new issue