[PATCH] EAP: Avoid incrementing round counter for non-initial Identity Requests

xinpeng wang wangxinpeng at uniontech.com
Tue Dec 16 19:57:32 PST 2025 

From: "xinpeng.wang" <wangxinpeng at uniontech.com>

The EAP state machine uses two counters (num_rounds and num_rounds_short) to prevent
protocol loops and Denial-of-Service (DoS) attacks by limiting the total number of
EAP message round-trips. Exceeding these limits leads to the EAP state machine
transitioning to the FAILURE state.

Currently, any received EAP Request triggers an increment to these counters in
SM_STATE(EAP, RECEIVED).

In various network environments, particularly after successful authentication, the
Authenticator may periodically send EAP Identity Requests as a non-standard Keep-Alive
or probing mechanism.

Since these Identity Requests are often short messages, they rapidly increase
'num_rounds_short'. This causes the EAP state machine to transition into the FAILURE
state even when the underlying network connection is secure and authorized, leading to
unnecessary EAP failure logging and instability in the Supplicant's state, even if it
does not strictly disconnect the network.

Modify the round-trip counting logic in SM_STATE(EAP, RECEIVED) to only increment the
counters if:
1. The received message is NOT an EAP Identity Request, OR
2. The Supplicant has not yet selected an EAP method (i.e., it is the genuine initial
Identity Request initiating a new session).

This change ensures that:
- Core protection against protocol loops for EAP methods remains effective.
- Non-initial Identity Requests used for network probing/Keep-Alive are ignored by the
round counter, preventing spurious EAP FAILURE transitions after a successful connection.

Signed-off-by: xinpeng wang <wangxinpeng at uniontech.com>
---
 src/eap_peer/eap.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 935286242..ec89195bd 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -313,11 +313,13 @@ SM_STATE(EAP, RECEIVED)
 	eapReqData = eapol_get_eapReqData(sm);
 	/* parse rxReq, rxSuccess, rxFailure, reqId, reqMethod */
 	eap_sm_parseEapReq(sm, eapReqData);
-	sm->num_rounds++;
-	if (!eapReqData || wpabuf_len(eapReqData) < 20)
-		sm->num_rounds_short++;
-	else
-		sm->num_rounds_short = 0;
+	if (sm->selectedMethod != EAP_TYPE_NONE || sm->reqMethod != EAP_TYPE_IDENTITY) {
+		sm->num_rounds++;
+		if (!eapReqData || wpabuf_len(eapReqData) < 20)
+			sm->num_rounds_short++;
+		else
+			sm->num_rounds_short = 0;
+	}
 }
 
 
@@ -1499,7 +1501,7 @@ static void eap_sm_processIdentity(struct eap_sm *sm, const struct wpabuf *req)
 	const u8 *pos;
 	size_t msg_len;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
+	wpa_msg(sm->msg_ctx, MSG_DEBUG, WPA_EVENT_EAP_STARTED
 		"EAP authentication started");
 	eap_notify_status(sm, "started", "");
 
-- 
2.51.0

More information about the Hostap mailing list