From e6ec62aa2d68e9436daeb4470260a101a06c9213 Mon Sep 17 00:00:00 2001 From: Lee Harding Date: Tue, 9 Apr 2024 15:06:38 -0700 Subject: [PATCH] Allow Session-Timeout with PSK RADIUS during 4-way handshake When the RADIUS response included a Session-Timeout attribute, but is otherwise valid (an Access-Accept with a valid Tunnel-Password), the association still failed due to the strict comparison of the accepted value with HOSTAPD_ACL_ACCEPT. Apparently this combination wasn't previously tested. Extend this to allow a packet containing a valid Session-Timeout attribute to be accepted by extending the "success" comparison to include HOSTAPD_ACL_ACCEPT_TIMEOUT. Fixes: 1c3438fec4ba ("RADIUS ACL/PSK check during 4-way handshake") Signed-off-by: Lee Harding --- src/ap/ieee802_11_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index e723ae74b..98a877dec 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, if (query->radius_psk) { struct sta_info *sta; - bool success = cache->accepted == HOSTAPD_ACL_ACCEPT; + bool success = cache->accepted == HOSTAPD_ACL_ACCEPT || + cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT; sta = ap_get_sta(hapd, query->addr); if (!sta || !sta->wpa_sm) {