Browse Source

Do not proceed with association if get_bssid() returns failure

This is the normal flow for association:

wpa_supplicant <--(EVENT_ASSOC event )--  device driver
wpa_supplicant  --( get_bssid()      )--> device driver
wpa_supplicant <--( return BSSID     )--  device driver

However, a device driver could return EINVAL for get_bssid() because it
recognizes it has already been disconnected. When the wpa_supplicant
received EINVAL, the bssid field could be used uninitialized in the
following flow:

wpa_supplicant <--(EVENT_ASSOC event )--  device driver
                                          device driver (receive deauth)
wpa_supplicant  --( get_bssid()      )--> device driver
wpa_supplicant <--( return EINVAL    )--  device driver

Prevent this by requiring the get_bssid() call to succeed when
processing association events.
Masashi Honma 12 years ago
parent
commit
0a0c38f63d
1 changed files with 8 additions and 2 deletions
  1. 8 2
      wpa_supplicant/events.c

+ 8 - 2
wpa_supplicant/events.c

@@ -1524,9 +1524,15 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
 	if (data && wpa_supplicant_event_associnfo(wpa_s, data) < 0)
 		return;
 
+	if (wpa_drv_get_bssid(wpa_s, bssid) < 0) {
+		wpa_dbg(wpa_s, MSG_ERROR, "Failed to get BSSID");
+		wpa_supplicant_disassociate(
+			wpa_s, WLAN_REASON_DEAUTH_LEAVING);
+		return;
+	}
+
 	wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATED);
-	if (wpa_drv_get_bssid(wpa_s, bssid) >= 0 &&
-	    os_memcmp(bssid, wpa_s->bssid, ETH_ALEN) != 0) {
+	if (os_memcmp(bssid, wpa_s->bssid, ETH_ALEN) != 0) {
 		wpa_dbg(wpa_s, MSG_DEBUG, "Associated to a new BSS: BSSID="
 			MACSTR, MAC2STR(bssid));
 		random_add_randomness(bssid, ETH_ALEN);