P2P: Check Action frame payload match before accepted TX status

It is possible for there to be two pending off-channel TX frames, e.g.,
when two devices initiate GO Negotiation at more or less the same time.
This could result in the TX status report for the first frame clearing
wpa_s->pending_action_tx that included the newer frame that has not yet
been transmitted (i.e., is waiting to be sent out). Avoid losing that
frame by confirming that the TX status payload matches the pending frame
before clearing the pending frame and reporting the TX status callback.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/offchannel.c b/wpa_supplicant/offchannel.c
index d94407c4f731508e3c26fefbc39e4b9417890c1c..40cbea1dba4b91455b4e96887cb19d0073e11a60 100644 (file)
--- a/wpa_supplicant/offchannel.c
+++ b/wpa_supplicant/offchannel.c
@@ -159,6 +159,21 @@ void offchannel_send_action_tx_status(
                return;
        }
 
+       /* Accept report only if the contents of the frame matches */
+       if (data_len - wpabuf_len(wpa_s->pending_action_tx) != 24 ||
+           os_memcmp(data + 24, wpabuf_head(wpa_s->pending_action_tx),
+                     wpabuf_len(wpa_s->pending_action_tx)) != 0) {
+               wpa_printf(MSG_DEBUG, "Off-channel: Ignore Action TX status - "
+                                  "mismatching contents with pending frame");
+               wpa_hexdump(MSG_MSGDUMP, "TX status frame data",
+                           data, data_len);
+               wpa_hexdump_buf(MSG_MSGDUMP, "Pending TX frame",
+                               wpa_s->pending_action_tx);
+               return;
+       }
+
+       wpa_printf(MSG_DEBUG, "Off-channel: Delete matching pending action frame");
+
        wpabuf_free(wpa_s->pending_action_tx);
        wpa_s->pending_action_tx = NULL;