P2P: Ignore unexpected GO Neg Resp is we have sent Resp

There is a race condition in GO Negotiation Request frame sending and
processing that may end up with both devices sending GO Negotiation
Response. This response frame was previously accepted even if a response
had already been sent. This could result in two GO Negotiation Confirm
frames being exchanged and consequently, with two separate GO
Negotiations completing concurrently. These negotiations could result in
getting mismatching parameters (e.g., both device could believe it was
the GO).

Fix this by ignoring GO Negotiation Response from the peer if twe have
already sent a GO Negotiation Response frame and we have the higher P2P
Device Address. This is similar to the rule used to determine whether to
reply to GO Negotiation Request frame when Request was already sent,
i.e., the same direction of GO Negotiation is maintained here to enforce
that only the negotiation initiated by the device with smaller P2P
Device Address is completed.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
This commit is contained in:
Jouni Malinen 2012-06-09 18:31:24 +03:00
parent a1d2ab329e
commit 198f82a1e3

View file

@ -672,6 +672,17 @@ fail:
if (status == P2P_SC_SUCCESS) { if (status == P2P_SC_SUCCESS) {
p2p->pending_action_state = P2P_PENDING_GO_NEG_RESPONSE; p2p->pending_action_state = P2P_PENDING_GO_NEG_RESPONSE;
dev->flags |= P2P_DEV_WAIT_GO_NEG_CONFIRM; dev->flags |= P2P_DEV_WAIT_GO_NEG_CONFIRM;
if (os_memcmp(sa, p2p->cfg->dev_addr, ETH_ALEN) < 0) {
/*
* Peer has smaller address, so the GO Negotiation
* Response from us is expected to complete
* negotiation. Ignore a GO Negotiation Response from
* the peer if it happens to be received after this
* point due to a race condition in GO Negotiation
* Request transmission and processing.
*/
dev->flags &= ~P2P_DEV_WAIT_GO_NEG_RESPONSE;
}
} else } else
p2p->pending_action_state = p2p->pending_action_state =
P2P_PENDING_GO_NEG_RESPONSE_FAILURE; P2P_PENDING_GO_NEG_RESPONSE_FAILURE;