Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.
This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The structures are all allocated, so the pointer can be compared to NULL
to determine whether the subelement was present.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a subelement is unexpectedly included multiple times, the parser must
not re-allocate memory for the entry without first freeing the old
allocation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Only the Neighbor Report element should be included here, so verify that
the element id matches. In addition, verify that each subelement has
valid length before using the data.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes the definitions match the terminology used in IEEE Std
802.11-2012 and makes it easier to understand how the HT Operation
element subfields are used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
QCA vendor extension is used for NAN functionality. This defines the
subcommand and attribute to address this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 41d5ce9e0b added scan optimizations
for P2P invitation cases. However, it left a path where the invitation
state was not cleared and as such, introduced potential issues for
following scans that ended up getting incorrectly optimized for a single
channel regardless of parameters. Fix this by clearing p2p_in_invitation
more carefully, especially on p2p_cancel command.
p2p_cancel is now also run from the FLUSH command to avoid issues with
hwsim test cases (e.g., persistent_group_per_sta_psk followed by
ap_open_tdls resulted in an error due to p2p_in_invitation remaining set
after FLUSH).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wnm_deallocate_memory() left wnm_num_neighbor_report set while freeing
the allocated buffer of neighbor reports. If this function was called
twice in a row without having went through new neighbor report parsing,
invalid pointers could have been freed resulted in segfault.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The newer NFC_REPORT_HANDOVER command is more general version that
handles the cases where NFC_RX_HANDOVER_SEL could potentially have been
used. In addition, with the new WPS NFC design, it is important to
receive the handover request message that was used in the handover in
addition to the select message, so the NFC_RX_HANDOVER_SEL command on
its own would not be sufficient for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
run-tests.py now takes an optional --long parameter that can be used to
enable running of test cases that take a long time (multiple minutes).
By default, such test cases are skipped to avoid making the normal test
run take excessive amounts of time.
As an initial long test case, verify WPS PBC walk time expiration (two
minutes).
Signed-off-by: Jouni Malinen <j@w1.fi>
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is somewhat of a corner case since there is no real point in using
so short a fragmentation threshold that it would result in this message
getting fragmented. Anyway, it is better be complete and support this
case as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit dbfb8e82ff changed the Action frame
RX payload pointer design to point to a different field. WNM Sleep Mode
Response handler updated one of the uses to accommodate this change, but
that commit missed another use for key data length. This resulted in GTK
and IGTK being ignored in many cases when waking up from WNM Sleep Mode
with PMF enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
"SET tdls_testing 0x800" can be used to enable a special test mode that
forces the FTIE MIC in TDLS setup messages to be incorrect.
Signed-off-by: Jouni Malinen <j@w1.fi>