From 8106d82b4e27ef0453012bfa4fd05f86edb65d95 Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <a@unstable.cc>
Date: Wed, 28 Aug 2019 21:06:15 +0200
Subject: [PATCH] fast_transition: fix crash by parsing RSN IE only if present

When performing a fast transition to another OPEN network the RSN
element won't be there and therefore the bss->rsne is gonna be NULL.

Fix crash by not accessing the rsne member when performing a fast
transition to an AP that doe snot advertise any RSN IE.

Crash caught with gdb:

 src/station.c:station_transition_start() 186, target 34:8f:27:2f:b8:fc

 Program received signal SIGSEGV, Segmentation fault.
 handshake_state_set_authenticator_ie (s=0x555555626eb0, ie=0x0) at src/handshake.c:163
 163		s->authenticator_ie = l_memdup(ie, ie[1] + 2u);
 (gdb) bt
 #0  handshake_state_set_authenticator_ie (s=0x555555626eb0, ie=0x0) at src/handshake.c:163
 #1  0x0000555555561a98 in fast_transition (netdev=0x55555562fbe0, target_bss=0x55555561f4a0,
     over_air=over_air@entry=true, cb=0x55555556d5b0 <station_fast_transition_cb>) at src/netdev.c:3164
 #2  0x0000555555565dfd in netdev_fast_transition (netdev=<optimized out>, target_bss=<optimized out>,
     cb=<optimized out>) at src/netdev.c:3232
 #3  0x000055555556ccbd in station_transition_start (bss=0x55555561f4a0, station=0x555555617da0)
     at src/station.c:1261
 #4  station_roam_scan_notify (err=<optimized out>, bss_list=<optimized out>, userdata=0x555555617da0)
     at src/station.c:1444
 #5  0x0000555555579560 in scan_finished (sc=0x55555562bf80, err=err@entry=0, bss_list=0x55555561bd90,
     sr=0x555555626b30, wiphy=<optimized out>) at src/scan.c:1234
 #6  0x0000555555579620 in get_scan_done (user=0x555555618920) at src/scan.c:1264
 #7  0x00005555555abd23 in destroy_request (data=0x55555561b000) at ell/genl.c:673
 #8  0x00005555555ac129 in process_unicast (nlmsg=0x7fffffffc310, genl=0x55555560b7a0) at ell/genl.c:940
 #9  received_data (io=<optimized out>, user_data=0x55555560b7a0) at ell/genl.c:1039
 #10 0x00005555555a8aa3 in io_callback (fd=<optimized out>, events=1, user_data=0x55555560b840)
     at ell/io.c:126
 #11 0x00005555555a7ccd in l_main_iterate (timeout=<optimized out>) at ell/main.c:473
 #12 0x00005555555a7d9c in l_main_run () at ell/main.c:520
 #13 l_main_run () at ell/main.c:502
 #14 0x00005555555a7fac in l_main_run_with_signal (callback=<optimized out>, user_data=0x0)
    at ell/main.c:642
 #15 0x000055555555e5b8 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:519
---
 src/netdev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/netdev.c b/src/netdev.c
index db92cecb..0e52ca36 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2903,7 +2903,8 @@ static int fast_transition(struct netdev *netdev, struct scan_bss *target_bss,
 	handshake_state_set_authenticator_address(netdev->handshake,
 							target_bss->addr);
 
-	handshake_state_set_authenticator_ie(netdev->handshake,
+	if (target_bss->rsne)
+		handshake_state_set_authenticator_ie(netdev->handshake,
 							target_bss->rsne);
 	memcpy(netdev->handshake->mde + 2, target_bss->mde, 3);