FT: Drop FT Action frames if ft_over_ds=0

Previously, the hostapd ft_over_ds parameter was used to only advertise
whether FT-over-DS is enabled in MDE and leave it to the stations to
follow that advertisement. This commit extends this to explicitly reject
(silently drop) FT Action frames if a station does not follow the
advertised capabilities.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 637d6d64ea1c7fe27d56467db172898dcd572dc1..7ab371f90733d9f77e3d997845fb94db23533274 100644 (file)
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -1293,6 +1293,11 @@ int wpa_ft_action_rx(struct wpa_state_machine *sm, const u8 *data, size_t len)
 
        wpa_hexdump(MSG_MSGDUMP, "FT: Action frame body", ies, ies_len);
 
+       if (!sm->wpa_auth->conf.ft_over_ds) {
+               wpa_printf(MSG_DEBUG, "FT: Over-DS option disabled - reject");
+               return -1;
+       }
+
        /* RRB - Forward action frame to the target AP */
        frame = os_malloc(sizeof(*frame) + len);
        if (frame == NULL)