Do not proceed with association if get_bssid() returns failure

This is the normal flow for association:

wpa_supplicant <--(EVENT_ASSOC event )--  device driver
wpa_supplicant  --( get_bssid()      )--> device driver
wpa_supplicant <--( return BSSID     )--  device driver

However, a device driver could return EINVAL for get_bssid() because it
recognizes it has already been disconnected. When the wpa_supplicant
received EINVAL, the bssid field could be used uninitialized in the
following flow:

wpa_supplicant <--(EVENT_ASSOC event )--  device driver
                                          device driver (receive deauth)
wpa_supplicant  --( get_bssid()      )--> device driver
wpa_supplicant <--( return EINVAL    )--  device driver

Prevent this by requiring the get_bssid() call to succeed when
processing association events.

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 3b52f2d..8f40150 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -1524,9 +1524,15 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
        if (data && wpa_supplicant_event_associnfo(wpa_s, data) < 0)
                return;
 
+       if (wpa_drv_get_bssid(wpa_s, bssid) < 0) {
+               wpa_dbg(wpa_s, MSG_ERROR, "Failed to get BSSID");
+               wpa_supplicant_disassociate(
+                       wpa_s, WLAN_REASON_DEAUTH_LEAVING);
+               return;
+       }
+
        wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATED);
-       if (wpa_drv_get_bssid(wpa_s, bssid) >= 0 &&
-           os_memcmp(bssid, wpa_s->bssid, ETH_ALEN) != 0) {
+       if (os_memcmp(bssid, wpa_s->bssid, ETH_ALEN) != 0) {
                wpa_dbg(wpa_s, MSG_DEBUG, "Associated to a new BSS: BSSID="
                        MACSTR, MAC2STR(bssid));
                random_add_randomness(bssid, ETH_ALEN);