Previously, mesh state machine transmits updated Commit Message when
receiving a Confirm Message in Committed state. According to the
standard, it should (re)send the latest Commit Message previously sent.
IEEE Std 802.11-2012, 11.3.8.6.4 Protocol instance behavior - Committed
state:
"Upon receipt of a Con event, ... If Sync is not greater than
dot11RSNASAESync, the protocol instance shall increment Sync, transmit
the last Commit Message sent to the peer, and set the t0
(retransmission) timer."
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
dynamic_vlan=required also applies to macaddr_acl=2 (RADIUS), especially
when used with WPA-PSK.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This extends dynamic_vlan=required checks to apply for WPA-PSK with
macaddr_acl=2 (RADIUS) case.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
When iterating through WPS APs that do not advertise Selected Registrar
TRUE, limit the authentication timeout to 10 seconds instead of the full
70 second value used with IEEE 802.1X/EAP/WPS in general. This helps
speed up AP iteration for cases where a selected AP misbehaves and does
not reply to EAP exchanges. This should not really be needed, but there
seems to be deployed APs that do not implement WPS correctly and with
such APs in the radio range, this extra timeout can speed up the
iteration to allow the correct AP to be found before the WPS operation
times out.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, wpa_supplicant was using number of scan iterations
(WPS_PIN_SCAN_IGNORE_SEL_REG = 3) to give some time for finding a WPS AP
with Selected Registrar TRUE before starting to iterate through all WPS
APs. While this works fine in most cases, some drivers may return the
initial three scan results so quickly that the total amount of time is
only couple of seconds in case none of the APs are initially advertising
Selected Registrar TRUE. To give some more time for APs (WPS Registrars)
to become ready, add an additional constraint on the iteration based on
time (WPS_PIN_TIME_IGNORE_SEL_REG = 5 seconds).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The time before trying to associate with an AP that does not advertise
Selected Registrar TRUE is going to be incremented, so increase the
autogo_m2d timeout to avoid reporting incorrect errors due to missing
M2D events.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Do not add the dedicated P2P Device interface in case P2P is disabled in
the configuration file or globally.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
I needed this option to disable P2P on a buggy system.
Document this so someone else finds it quicker next time.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Previously, only P2P and mesh use cases enforced unique MAC address for
a dynamically added virtual interface. Extend this to cover normal
station mode interfaces since those can now be added with INTERFACE_ADD.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need to try to derive DH shared key with a peer that tries
to use too short or too long DH Public Key. Previously, such cases ended
up implicitly getting rejected by the DH operations failing to produce
matching results. That is unnecessarily, so simply reject the message
completely if it does not have a Public Key with valid length. Accept
couple of octets shorter value to be used to avoid interoperability
issues if there are implementations that do not use zero-padding
properly.
Signed-off-by: Jouni Malinen <j@w1.fi>
This enforces variable length strings Manufacturer, Model Name, Model
Number, and Serial Number to be within the maximum length defined in the
WSC specification. While none of the existing users for these within
hostapd/wpa_supplicant had problems with longer strings, it is good to
ensure the strings are not longer to avoid potential issues at higher
layer components.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Remove the length field from struct ieee802_11_elems since the only
allowed element length is five and that is checked by the parser.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.
Signed-off-by: Jouni Malinen <j@w1.fi>
All the existing users of these elements were already validating the
element length. However, it is clearer to validate this already at the
parser for extra layer of protection for any future changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
Should there not be enough room in the output buffer, the
bss_basic_rate_set line would not be printed. This error case was
handled otherwise, but the temporary memory allocation for building the
information was not freed.
Signed-off-by: Jouni Malinen <j@w1.fi>
tdls_verify_mic() and tdls_verify_mic_teardown() could have tried to
read the 16-octet FTIE MIC when processing a TDLS frame even if the
received FTIE is truncated. At least in theory, this could result in
reading couple of octets beyond the frame buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 88b32a99d3 ('FT: Add FT AP support
for drivers that manage MLME internally') added an alternative way of
processing the WMM TSPEC from RIC. However, that change did not seem to
include the same checks for WMM TSPEC element length that were used in
the original implementation for MLME-in-hostapd case. Fix this by
sharing the older implementation of copying the WMM TSPEC from RIC for
both cases.
It looks like the destination buffer for the response is sufficiently
long for the fixed length copy, but it may have been possible to trigger
a read beyond the end of the FTIE by about 50 bytes. Though, that seems
to be within the buffer received for RX buffer in the case that uses
this driver-based AP MLME design for FT.
Signed-off-by: Jouni Malinen <j@w1.fi>
These functions did not verify that the received frame is long enough to
contain the beginning of the variable length IE area. A truncated frame
could have caused a segmentation fault due to reading beyond the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
This program can be used to run fuzzing tests for areas related to WNM
frame parsing and processing on the client side.
Signed-off-by: Jouni Malinen <j@w1.fi>
This program can be used to run fuzzing tests for areas related to EAPOL
frame parsing and processing on the supplicant side.
Signed-off-by: Jouni Malinen <j@w1.fi>
This program can be used to run fuzzing tests for areas related to P2P
message parsing and processing. p2p-fuzzer allows data files to be used
to inject Probe Response and Action frames for processing by the P2P
module.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it more obvious that the wps_parse_msg() bounds checking is
used to verify that there is sufficient space in the P2P buffer for the
secondary device types.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This modifies couple of code segments that replaced control characters
in strings with '_' to use a common helper function.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While it looks like all the users of this parsed attribute were able to
handle longer SSID values, there is no valid use case for these and to
avoid any potential future issues, enforce maximum length (32 bytes) on
the SSID during parsing.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes source code more consistent. The use within Android driver
interface is left as-is to avoid changes in the old PNO interface
definition.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While it looks like all the users of this parsed attribute were able to
handle longer Device Name values, there is no valid use case for these
and to avoid any potential issues in upper layer components, enforce
maximum length (32 bytes) on the Device Name during parsing.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While none of the current users of msg.persistent_ssid{,_len} would have
issues with too long SSID value, it is safer to enforce bounds checking
on the SSID while parsing the attribute to avoid any potential issues in
the future.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The SSID element is defined to have a valid length range of 0-32. While
this length was supposed to validated by the users of the element
parser, there are not really any valid cases where the maximum length of
32 octet SSID would be exceeded and as such, the parser itself can
enforce the limit as an additional protection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The multi-SSID design that used a single beaconing BSSID with multiple
SSIDs was never completed in this repository, so there is no need to
maintain the per-STA ssid/ssid_probe pointers that could only point to
&hapd->conf->ssid. Save some memory and reduce code complexity by
removing this unused partial capability.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit fa0e715100 ('Use
tls_connection_prf() for all EAP TLS-based key derivation') copied some
pointer checks from the generic implementation to tls_openssl.c.
However, these are arrays and cannot be NULL in OpenSSL data. Remove the
unnecessary checks and add master_key_length check for completeness.
(CID 109619).
Signed-off-by: Jouni Malinen <j@w1.fi>
