Fix deauth with reason 7 due to multiple assoc_req received

Additional assoc_reqs received after an initial assoc_req (due to a timeout
in the STA) was already being handled caused the handle_assoc flow to
run again and in the process delete the station added to the driver
(in add_pre_assoc_sta). A race would occur where assoc_resp
was already sent to the STA (as part of the handling of the initial
assoc_req) and it sent a null data packet which arrived
while the station was deleted. This caused the packet to be classified
as a class 3 frame coming from an unknown STA and a deauth
would occur. Fix this by discarding additional assoc_req between
receiving the 1st assoc_req and getting a tx callback for the assoc_resp.

Signed-off-by: Eyal Shapira <eyal@wizery.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 67745e9..6821205 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1026,6 +1026,14 @@ static void handle_assoc(struct hostapd_data *hapd,
 		return;
 	}
 
+	if ((sta->flags & WLAN_STA_ASSOC_REQ_OK) &&
+	    !(sta->flags & WLAN_STA_ASSOC)) {
+		hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+			       HOSTAPD_LEVEL_INFO, "Station sent another "
+			       "assoc req before assoc resp. Discarding");
+		return;
+	}
+
 	if (hapd->tkip_countermeasures) {
 		resp = WLAN_REASON_MICHAEL_MIC_FAILURE;
 		goto fail;
@@ -1548,6 +1556,7 @@ static void handle_assoc_cb(struct hostapd_data *hapd,
 			       "did not acknowledge association response");
 		if (status == WLAN_STATUS_SUCCESS)
 			hostapd_drv_sta_remove(hapd, sta->addr);
+		sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
 		return;
 	}