Disconnect STA on continuous EAP reauth without 4-way handshake completion

It could have been possible to get into an endless loop of retried EAP authentication followed by failing or not completed 4-way handshake if there was a different interpretation of EAP authentication result (success on AP, failure on STA). Avoid this by limiting the number of consecutive EAPOL reauth attempts without completing the following 4-way handshake. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:26:36 +03:00 · 2022-04-06 15:26:36 +03:00 · 95fd54b862
commit 95fd54b862
parent 9e11e746fa
2 changed files with 13 additions and 0 deletions
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@ -1850,6 +1850,14 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
 			break;
 		}

+		if (sm->ptkstart_without_success > 3) {
+			wpa_printf(MSG_INFO,
+				   "WPA: Multiple EAP reauth attempts without 4-way handshake completion, disconnect "
+				   MACSTR, MAC2STR(sm->addr));
+			sm->Disconnect = true;
+			break;
+		}
+
 		if (!sm->use_ext_key_id &&
 		    sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
 			wpa_printf(MSG_INFO,
@ -2192,6 +2200,7 @@ SM_STATE(WPA_PTK, PTKSTART)
 	sm->PTKRequest = false;
 	sm->TimeoutEvt = false;
 	sm->alt_snonce_valid = false;
+	sm->ptkstart_without_success++;

 	sm->TimeoutCtr++;
 	if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
@ -3721,6 +3730,8 @@ SM_STATE(WPA_PTK, PTKINITDONE)
 #ifdef CONFIG_IEEE80211R_AP
 	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
 #endif /* CONFIG_IEEE80211R_AP */
+
+	sm->ptkstart_without_success = 0;
 }


--- a/src/ap/wpa_auth_i.h
+++ b/src/ap/wpa_auth_i.h
@ -97,6 +97,8 @@ struct wpa_state_machine {
 	unsigned int is_wnmsleep:1;
 	unsigned int pmkid_set:1;

+	unsigned int ptkstart_without_success;
+
 #ifdef CONFIG_OCV
 	int ocv_enabled;
 #endif /* CONFIG_OCV */