Do prune_association only after the STA is authorized

Prune-associations should be done only after the new station is authorized. Otherwise any STA can cause denial of service to connected stations in PMF case when more than a single interface is being controlled by the same hostapd process. Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
cotequeiroz · May 25, 2023 · e978072 · e978072
1 parent a2c09eb
commit e978072
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
@@ -3339,7 +3339,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
 		return;
 	}
 
-	hostapd_prune_associations(hapd, sta->addr);
 	ap_sta_clear_disconnect_timeouts(hapd, sta);
 	sta->post_csa_sa_query = 0;
 

diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
@@ -1280,10 +1280,12 @@ void ap_sta_set_authorized(struct hostapd_data *hapd, struct sta_info *sta,
 	if (!!authorized == !!(sta->flags & WLAN_STA_AUTHORIZED))
 		return;
 
-	if (authorized)
+	if (authorized) {
+		hostapd_prune_associations(hapd, sta->addr);
 		sta->flags |= WLAN_STA_AUTHORIZED;
-	else
+	} else {
 		sta->flags &= ~WLAN_STA_AUTHORIZED;
+	}
 
 #ifdef CONFIG_P2P
 	if (hapd->p2p_group == NULL) {