If wpa_state is left to SCANNING by a previously executed test case,
scan_trigger_failure will fail. Instead of waiting for that failure,
check for wpa_state at the beginning of the test case and report a more
helpful error message if the test case would fail due to a previously
executed test case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 192ad3d730 ('Interworking: Clear
SCANNING state if no match found') did this for the case where no
network matched credentials, but left the SCANNING state in place if
there were a match, but automatic connection was not enabled. Extend
this to cover the case where INTERWORKING_SELECT is not followed by a
connection attempt so that wpa_state is not left indefinitely to
SCANNING.
This fixes a hwsim test case failure in the following sequence:
ap_anqp_sharing scan_trigger_failure
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_s->sme.auth_alg could have been left to a previously value other
than WPA_AUTH_ALG_OPEN if IBSS network is used after an association that
used shared key, FT, or FILS authentication algorithm. This could result
in the IBSS setup failing due to incorrect authentication processing
steps.
Fix this by setting wpa_s->sme.auth_alg = WPA_AUTH_ALG_OPEN whenever
starting an IBSS (or mesh, for that matter) network.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 8e84921efe ('P2P: Support driver
preferred freq list for Autonomous GO case') introduced this loop to go
through preferred channel list from the driver. The loop does bounds
checking of the index only after having read a value from the array.
That could in theory read one entry beyond the end of the stack buffer.
Fix this by moving the index variable check to be done before using it
to fetch a value from the array.
This code is used only if wpa_supplicant is build with
CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor
extension (get_pref_freq_list() driver op). In addition, the driver
would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred
channels for this to actually be able to read beyond the buffer. No
driver is known to return that many preferred channels, so this does not
seem to be reachable in practice.
Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Commit 370017d968 ('P2P: Use preferred
frequency list from the local driver') introduced this loop to go
through preferred channel list from the driver. The loop does bounds
checking of the index only after having read a value from the array.
That could in theory read one entry beyond the end of the stack buffer.
Fix this by moving the index variable check to be done before using it
to fetch a value from the array.
This code is used only if wpa_supplicant is build with
CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor
extension (get_pref_freq_list() driver op). In addition, the driver
would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred
channels for this to actually be able to read beyond the buffer. No
driver is known to return that many preferred channels, so this does not
seem to be reachable in practice.
Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Add two tests that check if the kernel BSS leak (when we get a deauth or
otherwise abandon an association attempt) is present in the kernel. This
is for a long-standing cfg80211/mac80211 issue that got fixed with the
kernel commit 'cfg80211/mac80211: fix BSS leaks when abandoning assoc
attempts'.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This is to handle the case when peer changes device name and same needs
to be updated to upper layers by P2P-DEVICE-FOUND event. It is similar
to the case when a peer changes wfd_subelems and P2P-DEVICE-FOUND event
goes to upper layers.
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
When a peer device stops sending wfd_subelems, wpa_supplicant should
remove dev->info.wfd_subelems from peer's properties. Previously,
wpa_supplicant left the previously learned dev->info.wfd_subelems in
place whenever the new message did not include wfd_subelems.
In addition to fixing the clearing of the old wfd_subelems, this
resolves another issue. As "wfd_changed" variable becomes true even when
peer stops sending wfd_subelems and dev->info.wfd_subelems has an old
value, a new P2P-DEVICE-FOUND event notification was sent again and
again to upper layers whenever a new discovery response was received
from the peer that previously advertised WFD subelements.
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
This makes wpa_supplicant behavior more consistent with FLUSH command to
clear all state. Previously, it was possible for an ongoing scan to be
aborted when the FLUSH command is issued and the scan results from that
aborted scan would still be processed and that would update the BSS
table which was supposed to cleared by the FLUSH command.
This could result in hwsim test case failures due to unexpected BSS
table entries being present after the FLUSH command.
Signed-off-by: Jouni Malinen <j@w1.fi>
The final check in this test case was issuing a new P2P_FIND command
immediately after the P2P_SERVICE_DEL command on the peer. It looked
like it was possible for the scan timing to go in a sequence that made
the new P2P_FIND operation eventually accept a cfg80211 BSS entry from
the very end of the previous P2P_FIND. This resulted in unexpected
P2P-DEVICE-FOUND event even though there was no new Probe Response frame
from the peer at that point in time.
Make this less likely to show unrelated failures by waiting a bit before
starting a new P2P_FIND operation after having changes peer
configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, this flag was cleared only in case of failed GO Negotiation.
That could leave the flag set for a peer and if a new group formation
was performed with the same peer before the entry expired, there was
increased risk of getting stuck in a state where neither peer replied to
a GO Negotiation Request frame if a GO Negotiation Response frame with
Status 1 was dropped.
The error sequence could happen in the go_neg_with_bss_connected test
case when timing was suitable to make the second GO negotiation drop a
pending TX Action frame if the GO Negotiation Response with Status 1 was
scheduled for transmission during a P2P scan and P2P_CONNECT was issued
before that scan got aborted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is a regulatory requirement for Specific Absorption Rate (SAR)
whereby the device transmit power is reduced when it is determined that
the device is in close proximity to the body. Implement a vendor command
interface to allow a userspace entity to dynamically control the SAR
power limits.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, os_sleep() was used to block the hostapd (or wpa_supplicant
AP/P2P GO mode) processing between sending out EAP-Failure and
disconnecting the STA. This is not ideal for couple of reasons: it
blocks all other parallel operations in the process and it leaves a
window during which the station might deauthenticate and the AP would
have no option for reacting to that before forcing out its own
Deauthentication frame which could go out after the STA has already
started new connection attempt.
Improve this design by scheduling an eloop timeout of 10 ms instead of
the os_sleep() call and perform the delayed operations from the eloop
callback function. This eloop timeout is cancelled if the STA
disconnects or initiates a new connection attempt before the 10 ms time
is reached. This gets rid of the confusing extra Deauthentication frame
in cases where the STA reacts to EAP-Failure by an immediate
deauthentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
Setting wep_key# to an empty string will now clear a previously
configured key. This is needed to be able to change WEP configured AP to
using WPA/WPA2 through the hostapd control interface SET commands.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Reject a passphrase with control characters instead of trying to write
out an example network configuration block with such control characters
included.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
On a connect nl80211 event, wpa_supplicant uses
wpa_driver_nl80211_get_ssid() to fetch the current associated SSID to
compare to existing configurations. However,
wpa_driver_nl80211_get_ssid() uses drv->ssid, which is a cached value.
It is set when we explicitly initial a connect request using
wpa_supplicant. If the association was initiated outside of
wpa_supplicant, we need another way to populate drv->ssid. This commit
sets drv->ssid based on cfg80211 BSS information on connect/associate
nl80211 events.
Signed-off-by: Ningyuan Wang <nywang@google.com>
Commit adcd7c4b0b ('nl80211: Support
vendor scan together with normal scan') made the drv->scan_state updates
for NL80211_CMD_NEW_SCAN_RESULTS and NL80211_CMD_SCAN_ABORTED
conditional on drv->last_scan_cmd being NL80211_CMD_TRIGGER_SCAN. This
missed the part about the possibility of last_scan_cmd == 0 and an
externally started cfg80211 scan is ending. This could leave
drv->scan_state into SCAN_STARTED state even after the scan was
completed. Consequently, hwsim test cases could get stuck in reset()
handler waiting for scan to terminate.
Fix this by updating drv->scan_state also in drv->last_scan_cmd == 0
case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.
By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.
When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.
This also does not implement Directed Multicast Service (DMS).
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
We should unconditionally remove inactivity timers for wired network
cases. This commit checks for this after a new station association:
hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED
and then cancels the timeout and does not register a new one.
It prints out a debug message like this:
1476740180.276286: IEEE 802.1X: 00:02:00:00:00:07 CTRL_DIR entering
state FORCE_BOTH
1476740180.276295: hostapd_new_assoc_sta: canceled wired ap_handle_timer
timeout for 00:02:00:00:00:07
This was tested on a debian jessie amd64 system with a configured 120
second inactivity timer and the session did not timeout.
Signed-off-by: Sam Tannous <stannous@cumulusnetworks.com>
Skipping the scan altogether will hurt auto-reconnect. Also move the PNO
check down since the scan might be canceled for other reasons before we
defer it.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Do not use the generic bss_info_handler() design to fetch all scan
results into temporary memory buffer. Instead, use a separate BSS info
handler that fetches the requested information without fully parsing the
BSS entries and without allocating any memory for collecting all the
results.
This is also simplifying bss_info_handler() and nl80211_parse_bss_info()
design by getting rid of the special case that was used only for
nl80211_get_assoc_freq() and not normal scan result fetching.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of fetching all scan results to a temporary buffer, debug print
scan result dump directly from the message handler function one BSS at a
time.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows a single scan result to be parsed at a time. This is a step
towards optimizing scan result fetching without having to allocate
memory for all entries at the same time.
Signed-off-by: Jouni Malinen <j@w1.fi>
The way the removal of duplicated (one per frequency) BSS entries in the
cfg80211 scan results were removed in driver_nl80211_scan.c
bss_info_handler() depended on having the full scan results available to
allow iteration through the other entries. This is problematic for the
goal of being able to optimize memory allocations for scan result
fetching in a manner that would not build the full result buffer in
memory.
Move this duplicate removal into bss.c since it has sufficient
information available for doing the same determination of which one of
two BSS entries is more current.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which
resulted in invalid scan data being accepted in driver_privsep.c. Add
support for res->beacon_ie_len and also fix the validation step to take
this new variable length field into account.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_priv has never really been fully up-to-date with the wpa_supplicant
driver interface extensions. This does not seem like something that
would change in the future either, so document this reduced
functionality as a potential drawback.
Signed-off-by: Jouni Malinen <j@w1.fi>
This avoids a theoretical resource leak on exit path if wpa_priv is
killed while there is a wpa_supplicant process using it.
Signed-off-by: Jouni Malinen <j@w1.fi>
This avoids some valgrind warnings about use of uninitialized memory in
cases where a struct may have padding octets between the fields.
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of some dependencies on how extra octets at the end of the
struct sockaddr_un get "uninitialized" consistently by only using the
exact length of the address data from the recvfrom() call. This resolves
number of valgrind warnings about use of uninitialized memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to be able to work with many wpa_supplicant use cases,
e.g., due to use of TDLS or RSN pre-authentication needing a separate
l2_packet socket.
Signed-off-by: Jouni Malinen <j@w1.fi>
These test cases verify that there is no duplicate processing of P2P
Action frames while operating in a P2P group.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows a single scan result to be checked at a time. This is a step
towards optimizing scan result fetching without having to allocate
memory for all entries at the same time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This untangles the NL80211_CMD_GET_SURVEY handler loop from
NL80211_CMD_GET_SCAN processing so that the per-channel noise
information can be fetched with a common function to a local data
structure that can then be easily used to update individual scan results
(a single BSS) instead of having to go through a full set of scan
results. This is a step towards optimizing scan result fetching without
having to allocate memory for all entries at the same time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the ap_wds_sta test case to cover post-reassociation case
(both with and without Authentication frame exchange) and add similar
test cases to cover open and WEP cases in addition to this existing
WPA2-PSK test case.
These cover functionality testing for the previous fix in
reassociation-without-new-authentication case. In addition, these find a
new mac80211 issue for the WEP + 4addr combination.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
