wpa_supplicant: Don't process EAPOL frames while disconnecting
An EAPOL frame may be pending when wpa_supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL frame is
processed and results in a crash due to NULL dereference.
This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in commit ab89291928fa exposing this race.
Fix it by ignoring EAPOL frames while the deauthentication is in
progress.
Fixes: ab89291928fa ("nl80211: Use process_bss_event() for the nl_connect handler") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Stefan Paetow [Thu, 11 Mar 2021 18:47:36 +0000 (18:47 +0000)]
eapol_test: Add address family for IPv4 in Windows build
Add the address family when manually constructing IPv4 addresses in
eapol_test on Windows. Otherwise other functions, like hostapd_ip_txt()
in src/utils/ip_addr.c, that rely on addr->af being set fail miserably.
The non-Windows option uses hostapd_parse_ip_addr() which does this as
part of the helper function.
Swarn Singh [Fri, 5 Mar 2021 05:10:04 +0000 (10:40 +0530)]
Add support to return bandwidth for channel 2 of the 6 GHz band
The 6 GHz band operating class 136 is defined to use 20 MHz bandwidth.
Return the value accordingly from center_idx_to_bw_6ghz() to cover this
special case.
New vendor attribute to configure TWT mantissa in microseconds
Define the following additional TWT attribute for
qca_wlan_vendor_attr_twt_setup:
QCA_WLAN_VENDOR_ATTR_TWT_SETUP_WAKE_INTVL2_MANTISSA to configure the
mantissa in microseconds.
Ben Greear [Sat, 6 Mar 2021 16:18:38 +0000 (08:18 -0800)]
TWT: Support sending TWT Setup and Teardown Action frames
This adds new control interface commands TWT_SETUP and TWT_TEARDOWN. For
now, these are only for testing purposes to be able to trigger
transmission of the TWT Action frames without configuring any local
behavior for TWT in the driver.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Jouni Malinen [Sat, 6 Mar 2021 23:35:25 +0000 (01:35 +0200)]
Update VHT capabilities info on channel switch event
This is needed to be able to move from 80 MHz or lower bandwidth to 160
or 80+80 MHz bandwidth (and back) properly without leaving the Beacon
frame VHT elements showing incorrect information.
Avraham Stern [Wed, 17 Feb 2021 10:14:33 +0000 (12:14 +0200)]
nl80211: Use process_bss_event() for the nl_connect handler
The nl_connect is initialized with the process_bss_event() handler.
However, it is used several times with the default valid handler. As a
result, if a message that is only valid for process_bss_event() is
received while the default handler is used, it will be dropped.
This has been observed in a case where during the 4-way handshake, a
Beacon frame is received on the AP side, which triggers a beacon update,
just before receiving the next EAPOL. When send_and_recv_msgs_owner() is
called for sending the NL80211_CMD_SET_BEACON command, the
NL80211_CMD_CONTROL_PORT_FRAME event is already pending. As a result, it
is received with the default handler, which drops it. Since the EAPOL
frame is dropped, the connection attempt fails.
Fix it by using the process_bss_event() handler when the nl_connect
handler is used.
Jouni Malinen [Sat, 6 Mar 2021 09:56:00 +0000 (11:56 +0200)]
DPP: Clear hapd->gas pointer on deinit
While it does not look like the stale pointer could have been
dereferenced in practice, it is better not to leave the stale pointer to
freed memory in place to avoid accidental uses.
Michael Braun [Mon, 1 Mar 2021 21:27:46 +0000 (23:27 +0200)]
Fix use after free with hapd->time_adv on interface restart
When an interface is disabled, e.g. due to radar detected,
hapd->time_adv is freed by hostapd_free_hapd_data(), but later
used by ieee802_11_build_ap_params() calling hostapd_eid_time_adv().
Thus hapd->time_adv needs to be cleared as well.
Fixes: 39b97072b2a4 ("Add support for Time Advertisement") Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Matthew Wang [Sat, 6 Mar 2021 01:43:44 +0000 (17:43 -0800)]
Reject authentication start during explicit roam requests
The roam D-Bus and ROAM control itnerface commands flip the reassociate
bit before calling wpa_supplicant_connect(). wpa_supplicant connect
eventually aborts ongoing scans (if any), which causes scan results to
be reported. Since the reassociate bit is set, this will trigger a
connection attempt based on the aborted scan's scan results and cancel
the initial connetion request. This often causes wpa_supplicant to
reassociate to the same AP it is currently associated to instead of the
explicitly requested roaming target.
Add a roam_in_progress flag to indicate that we're currently attempting
to roam via an explicitly request to a specific BSS so that we don't
initiate another connection attempt based on the possibly received scan
results from a scan that was in progress at the time the roam command
was received.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Jouni Malinen [Mon, 1 Mar 2021 10:51:20 +0000 (12:51 +0200)]
wpaspy: Do not mark not-existing UNIX domain socket as UDP
os.stat(path) failure is an ambigious indication of the control
interface "path" type (UDP hostname vs. UNIX domain socket path). The
path may be a valid UNIX domain socket path, but that socket could have
been removed just before reaching here. At least the hwsim test case
concurrent_p2pcli managed to hit the "connect exception" print below
from UDP handling even when using a UNIX domain socket.
Work around incorrect determination of control interface socket type by
assuming anything starting with '/' is a UNIX domain socket and not a
hostname.
Fixes: a2c88a8025b2 ("wpaspy: Add support for UDP connection") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Mon, 1 Mar 2021 10:34:05 +0000 (12:34 +0200)]
tests: Fix openssl_systemwide_policy cleanup
Need to close the WpaSupplicant instance on the extra radio before
returning from this test case since that interface is going to be
removed and WpaSupplicant.__del__() can time out on trying to detach the
monitor connection after that.
Jouni Malinen [Sun, 28 Feb 2021 21:27:13 +0000 (23:27 +0200)]
OCV: Fix OCV-FAILURE event address for FT Reassociation Response frame
sm->bssid is still the BSSID of the previous AP at this point in the FT
protocol, so need to show the target AP's BSSID instead in the failure
message.
Jouni Malinen [Sun, 28 Feb 2021 18:20:38 +0000 (20:20 +0200)]
tests: Display unexpected stdout and stderr prints in parallel-vm.py
Make it more difficult to miss issues that were previously only printed
out in /tmp/hwsim-test-logs/*-parallel.log. This covers things like
memory leaks and test script failures or forgotten development time
prints to stdout.
Jouni Malinen [Sun, 28 Feb 2021 16:39:49 +0000 (18:39 +0200)]
SAE: Use more explicit IE payload validation steps
This is an attempt of making the code easier to understand for static
analyzers. The helper functions were already verifying that these IEs
are fully within the memory buffer, but that may not have been clear
enough for automated analysis.
Jouni Malinen [Sun, 28 Feb 2021 09:51:16 +0000 (11:51 +0200)]
Use more consistent iface->conf checks
Commit f1df4fbfc7ad ("mesh: Use setup completion callback to complete
mesh join") added a check for iface->conf being NULL into a debug print.
However, it is not clear how that could be NULL here. In any case,
setup_interface() could end up dereferencing iface->conf in the call to
hostapd_validate_bssid_configuration(), so better be consistent with the
checks and not get warnings from static analyzers regardless of whether
this can happen in practice.
Jouni Malinen [Sun, 28 Feb 2021 09:37:09 +0000 (11:37 +0200)]
PASN: Avoid unreachable code with CONFIG_NO_RADIUS
There is no point in trying to build in rest of this function if in the
middle of it the CONFIG_NO_RADIUS case would unconditionally fail.
Simply make all of this be conditional on that build parameter not being
set to make things easier for static analyzers.
Jouni Malinen [Sun, 28 Feb 2021 09:27:42 +0000 (11:27 +0200)]
FILS: Fix RSN info in FD frame for no-group-addressed
The value from the initial RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED check
ended up getting overridden with the following if. This was supposed to
be a single if statement to avoid that.
Fixes: 9c02a0f5a672 ("FILS: Add generation of FILS Discovery frame template") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 27 Feb 2021 21:42:21 +0000 (23:42 +0200)]
Fix dynamic EAP library building
Build eap_*.so into the wpa_supplicant similarly with the wpa_supplicant
binary and include the shared helper functions from additional files
into the builds. This got broken at some point with the build system
changes.
Jouni Malinen [Sat, 27 Feb 2021 19:07:54 +0000 (21:07 +0200)]
tests: Fix sigma_dut_ap_dpp_tcp_enrollee_init to stop hostapd
This test case was missing an explicit CAPI ap_reset_default and that
could result in hostapd being left running at the end of the test case.
This could result in issues with following test cases if they used a new
radio interface from HWSimRadio().
Jouni Malinen [Tue, 16 Feb 2021 09:34:50 +0000 (11:34 +0200)]
Ignore group-addressed SA Query frames
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.
Jimmy Chen [Mon, 12 Oct 2020 02:23:40 +0000 (10:23 +0800)]
P2P: Pick a 5 GHz channel from more possible channels
For an autonomous P2P group on the 5 GHz band, a channel was picked only
from the operating class 115 which is not available in the EU region
anymore. As a result, an autonomous group creation would always fail in
this generic 5 GHz channel case.
There are more possible available channels for the 5 GHz currently.
Especially in the EU region, the operating class 115 channels are no
longer available, but SRD channels (the operating class 124) are
available. Allow them to be used here if they are marked as allowed for
P2P GO use.
In addition, iterate through all the potential options instead of just
checking the first randomly picked channel. Start this iteration from
random position to maintain some randomness in this process.
Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
Jouni Malinen [Sat, 27 Feb 2021 16:10:41 +0000 (18:10 +0200)]
tests: Work around exception handling issue in wpas_config_file
Raising an exception while the wlan5 interface was remove (i.e., between
wpas.interface_remove() and .interface_add() calls) would result in the
cleanup code failing and generating yet another exception while the
first one was being processed. Work around this by re-adding the wlan5
interface back temporarily if the interface is not available for the
cleanup operations.
Determine if the TDLS peer is HE capable based on HE Capability element
received in the TDLS Setup Response frame. Indicate the peer's HE
capabilities to the driver through sta_add().
Jouni Malinen [Tue, 8 Dec 2020 21:52:50 +0000 (23:52 +0200)]
P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Reordering of code in handle_auth_cb() when adding support for full
station state messaged up frame length checks. The length was originally
tested before looking at the payload of the frame and that is obviously
the correct location for that check. The location after those full state
state changes was after having read six octets of the payload which did
not help at all since there was no addition accesses to the payload
after that check.
Move the payload length check to appropriate place to get this extra
level of protection behaving in the expected manner. Since this is a TX
status callback handler, the frame payload is from a locally generated
Authentication frame and as such, it will be long enough to include
these fields in production use cases. Anyway, better keep this check in
working condition.
Fixes: bb598c3bdd06 ("AP: Add support for full station state") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Sun, 21 Feb 2021 14:58:33 +0000 (16:58 +0200)]
tests: Fix the cleanup at the end of scan_setband
The iteration of WpaSupplicant instances used incorrect variable and
ended up cleaning up only the wlan5 interface. This left unexpected
setband parameter for wlan0/wlan1/wlan2 which could result in
consecutive test cases failing due to scan not finding the expected
BSSs.
Jouni Malinen [Sun, 21 Feb 2021 14:44:33 +0000 (16:44 +0200)]
DPP2: Accept Config Result before GAS response TX status
The TX event for the next frame in the sequence might be received before
the TX status for the final GAS response frame is processed. This used
to result in the Config Result getting discarded and the negotiation not
completing successfully on the Configurator side.
Accept the Config Result message as an indication of the final GAS
response frame having went through fine even if the TX status has not
yet been processed to avoid this issue from a potential race condition
on kernel events.
Jouni Malinen [Sun, 21 Feb 2021 10:07:38 +0000 (12:07 +0200)]
radiotap: Fix compiler issues with packed structures
Replace the Radiotap parser platform.h file with use of helper functions
from utils/common.h to avoid compiler issues with the updated design and
getting pointers to members of packet structs.
Silence the warning about _next_bitmap assignment. This pointer is
dereferenced only with operations that are safe for unaligned access, so
the compiler warning is not helpful here.
__packed might not be defined in this context, so use STRUCT_PACKED from
utils/common.h.
projects / thirdparty / hostap.git / log
