| Message ID | MWHPR21MB0847FAC1328EECE186697ECFC2210@MWHPR21MB0847.namprd21.prod.outlook.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | hostapd: Fix crash setting global configurator params on chirp rx | expand |
On Wed, Sep 16, 2020 at 09:51:40PM +0000, Andrew Beltrano wrote: > When a presence announcement frame is received, a check is done to > ensure an ongoing auth is not in progress (!hapd->dpp_auth). A new dpp > auth is then initialized, however, when setting global configurator > params for it, the hapd->dpp_auth pointer is used which was earlier > confirmed as NULL, causing a crash in dpp_set_configurator params when > the pointer is dereferenced. > > This only occurs when there are global DPP configurator params to be set > and the peer has no overriding configurator params. If no global dpp > configurator params exist, the call to dpp_set_configurator exits early > and the problem is not observed. > > Fix by using the newly init'ed dpp auth structure for setting global > dpp configurator params. Thanks, applied.
diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c index 15aa82b85..2a28239e1 100644 --- a/src/ap/dpp_hostapd.c +++ b/src/ap/dpp_hostapd.c @@ -1249,8 +1249,8 @@ hostapd_dpp_rx_presence_announcement(struct hostapd_data *hapd, const u8 *src, 0); if (!auth) return; - hostapd_dpp_set_testing_options(hapd, hapd->dpp_auth); - if (dpp_set_configurator(hapd->dpp_auth, + hostapd_dpp_set_testing_options(hapd, auth); + if (dpp_set_configurator(auth, hapd->dpp_configurator_params) < 0) { dpp_auth_deinit(auth); return;
When a presence announcement frame is received, a check is done to ensure an ongoing auth is not in progress (!hapd->dpp_auth). A new dpp auth is then initialized, however, when setting global configurator params for it, the hapd->dpp_auth pointer is used which was earlier confirmed as NULL, causing a crash in dpp_set_configurator params when the pointer is dereferenced. This only occurs when there are global DPP configurator params to be set and the peer has no overriding configurator params. If no global dpp configurator params exist, the call to dpp_set_configurator exits early and the problem is not observed. Fix by using the newly init'ed dpp auth structure for setting global dpp configurator params. Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com> --- This problem does not exist in the presence announcement rx handler in wpa_supplicant as it correctly uses the newly init'ed dpp auth to set the global dpp configurator params. --- src/ap/dpp_hostapd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)