DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

mesh: Add for_each_sta implementation in wpa_auth_callbacks

Browse source 
The wpa_auth_callbacks for mesh was missing a for_each_sta
implementation. This is an issue with pmksa cache, as when a cache entry
expires the for_each_sta callback is called in order to clear the pmksa
reference for all sta that was using this entry. Not having a
for_each_sta callback will prevent this cleanup to happen then a sta
could still use this pmksa entry even after it has been freed.

This used after free was not a problem up until recently where
dpp_pkhash is now stored in pmksa entry and retreived later on causing
crash with below backtrace:

  _wpa_snprintf_hex                        src/utils/common.c:326
  wpa_snprintf_hex                         src/utils/common.c:348
  hostapd_ctrl_iface_sta_mib               src/ap/ctrl_iface_ap.c:542
  hostapd_ctrl_iface_sta_mib               src/ap/ctrl_iface_ap.c:542
  hostapd_ctrl_iface_sta_mib               src/ap/ctrl_iface_ap.c:600
  hostapd_ctrl_iface_sta                   src/ap/ctrl_iface_ap.c:615
  wpa_supplicant_ctrl_iface_process        src/wpa_supplicant/ctrl_iface.c:12741
  wpa_supplicant_global_ctrl_iface_receive src/wpa_supplicant/ctrl_iface_unix.c:1141
  eloop_sock_table_dispatch                src/utils/eloop.c:625
  eloop_run                                src/utils/eloop.c:1238
  wpa_supplicant_run                       src/wpa_supplicant/wpa_supplicant.c:8021
  main                                     src/wpa_supplicant/main.c:393

Adding a for_each_sta callbacks fixes that.

Fixes: 043dedee83 ("DPP: Expose enrollee pubkey hash for identification")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
This commit is contained in:
Remi Pommarel 2023-12-01 16:14:11 +01:00 committed by Jouni Malinen
parent b07f19e082
commit bbb0d3a40e
1 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
wpa_supplicant/mesh_rsn.c
View file

@ -142,6 +142,23 @@ static int auth_start_ampe(void *ctx, const u8 *addr)
} }
static int auth_for_each_sta(
void *ctx, int (*cb)(struct wpa_state_machine *sm, void *ctx),
void *cb_ctx)
{
struct mesh_rsn *rsn = ctx;
struct hostapd_data *hapd;
struct sta_info *sta;
hapd = rsn->wpa_s->ifmsh->bss[0];
for (sta = hapd->sta_list; sta; sta = sta->next) {
if (sta->wpa_sm && cb(sta->wpa_sm, cb_ctx))
return 1;
}
return 0;
}
static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr, static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
enum mfp_options ieee80211w, int ocv) enum mfp_options ieee80211w, int ocv)
{ {
@ -151,6 +168,7 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
.get_psk = auth_get_psk, .get_psk = auth_get_psk,
.set_key = auth_set_key, .set_key = auth_set_key,
.start_ampe = auth_start_ampe, .start_ampe = auth_start_ampe,
.for_each_sta = auth_for_each_sta,
}; };
u8 seq[6] = {}; u8 seq[6] = {};