From 34a26ed6328aa445c420308cbc851b9eb27bcbfa Mon Sep 17 00:00:00 2001
From: Sarvesh Bodakhe <sarvesh.bodakhe@espressif.com>
Date: Thu, 25 Jan 2024 12:01:21 +0530
Subject: [PATCH] fix(wifi): Avoid dereferencing a dangling function pointer in
 WPS supplicant

Avoid dereferencing a dangling function pointer in 'eap_server_sm_deinit()'.
This issue arises when hostap unregisteres EAP methods before it removes
the server state machine for station.
---
 components/wpa_supplicant/src/ap/wps_hostapd.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/components/wpa_supplicant/src/ap/wps_hostapd.c b/components/wpa_supplicant/src/ap/wps_hostapd.c
index 3210438f94..a2b7ecc6dd 100644
--- a/components/wpa_supplicant/src/ap/wps_hostapd.c
+++ b/components/wpa_supplicant/src/ap/wps_hostapd.c
@@ -321,6 +321,14 @@ fail:
 	return -1;
 }
 
+#ifdef ESP_SUPPLICANT
+static int ap_sta_server_sm_deinit(struct hostapd_data *hapd,
+		struct sta_info *sta, void *ctx)
+{
+	ieee802_1x_free_station(hapd, sta);
+	return 0;
+}
+#endif /* ESP_SUPPLICANT */
 
 void hostapd_deinit_wps(struct hostapd_data *hapd)
 {
@@ -332,6 +340,11 @@ void hostapd_deinit_wps(struct hostapd_data *hapd)
 	}
 	wps_registrar_deinit(hapd->wps->registrar);
 	hapd->wps->registrar = NULL;
+
+#ifdef ESP_SUPPLICANT
+	ap_for_each_sta(hapd, ap_sta_server_sm_deinit, NULL);
+#endif /* ESP_SUPPLICANT */
+
 	eap_server_unregister_methods();
 	hapd->wps = NULL;
 	hostapd_wps_clear_ies(hapd, 1);