This field needs to be validated in addition to validating the total
length of the received frame to avoid reading beyond the frame buffer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Only the NS frames should be checked to be long enough to cover all the
fields used in the NS data structure. This allows shorter RA and NA
frames to be processed for multicast-to-unicast rules.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
l2_packet_send() returns >= 0 on success, i.e., non-zero value does not
mean failure. Fix this debug print to show up only on negative return
values.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to debug operations. The debug message is marked
EXCESSIVE, though, to avoid filling the logs with too much information
in default debugging cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new hostapd control interface command can be used in automated
testing to verify how AP processes Data frames with arbitrary contents.
This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no point in trying to send the unicast converted version to a
STA that is not in authorized state since the driver would be expected
to drop normal TX Data frames in such state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is more robust and extensible than configuring IPv6 addresses on
the interfaces and trying to use ping6 or some other external tools to
generate suitable IPv6 frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new wpa_supplicant control interface command can be used in
automated testing to verify how AP processes Data frames with arbitrary
contents. This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The 50 ms wait time for Action frame response was not sufficient when
the tests are run under heavy load (e.g., multiple VMs in parallel).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Wait for GO to start before sending invitation frames in the protocol
test. Without this, it was possible to hit the 5 second timeout on
management frame RX under load.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for this test case to fail due to PBC overlap that was
detected based on previous test case having used PBC. Make that false
positive less likely to happen by explicitly clearing the scan cache on
the devices.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The "Not fully connected" report did not clearly identify what went
wrong, so make this more verbose in hope of being able to determine what
happened should this test case fail again.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible to hit the 10 second timeout in some test cases under
heavy load (e.g., with large number of VMs running tests in parallel).
These timeouts are not really indicating any real error, so make them
less likely to show up in reports by increasing the connection timeout
to 30 seconds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There are valid status (and possibly status-driver) responses
that don't have a name=value format, ignore those in the test
framework parser.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
It took significant part of the startup latency to prefill the database
with test cases due to the SQL COMMIT operation between each added row.
Move COMMIT to outside the loop to speed startup significantly.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need for this state to maintained when the wpa_supplicant
FLUSH ctrl_iface command is used to request flushing of all state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It can be useful to specify an exact order of test cases and also to
allow the same test case to be run multiple times when the list of tests
is provided on the command line.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for wmm_ac_deinit() not getting called when an interface
was removed in a sequence where disassociation was not reported and
wmm_ac_notify_disassoc() did not get called. This resulted in leaking
whatever memory was allocated for WMM AC parameters. Fix that by calling
wmm_ac_notify_disassoc() from wpa_supplicant_cleanup().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
For tests that require a radio with multi-channel concurrency,
create a new one on the fly that does have more than 1 channel.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Newer versions of tshark don't like the -R (read filter) argument
for filtering and just show a deprecation warning. Use -Y (display
filter) instead, which hopefully also works on older versions.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If invitation to reinvoke a persistent group from the GO fails with the
peer indicating that there are no common channels, there is no defined
means for the peer to indicate which channel could have worked. Since
this type of issue with available channels changing over time can
happen, try to work around this by retrying invitation using one of the
social channels as the operating channel unless a specific operating
channel was forced for the group.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to fix some sequencies where a real scan in ap_scan=2
case would be issued even when the connection case would expect direct
connection without a scan.
This fixed an issue shown in hwsim test case autoscan_exponential
followed by ibss_open_fixed_bssid.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to make following operations behave as expected since
mesh iftypes may prevent various operations (e.g., registering Probe
Request frame RX). Use same design as leave_ibss does to handle this
consistently.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to allow proper Action frame transmission to work without
having to claim these to be offchannel operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for the ignore_if_down_event flag to remain set in some
cases where interface mode change required the interface to be set down
temporarily. If that happened, the following rfkill interface down could
have been ignored and device could have been left trying to scan or
connect (which would all fail due to the interface beign down). Clean
this up by clearing the ignore_if_down_event flag on the interface down
event regardless of whether the interface is up at the time this event
is processed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
External tool is not needed anymore to run the data connectivity tests
since hostapd test mode now allows the possible bridge or VLAN interface
to be specified.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows the device-based data connectivity tests to be extended for
bridge and VLAN interface cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 6c6678e7a4 ('nl80211: Make
br_ifindex available in i802_bss') did not cover the case where
i802_check_bridge() ends up creating the bridge interface. That left
bss->br_ifindex zero and prevented neighbor addition. Extend that
functionality to update br_ifindex once the bridge netdev has been
added.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These need to be marked packed to avoid issues with compilers
potentially adding padding between the fields (e.g., gcc on 64-bit
seemed to make struct icmpv6_ndmsg two octets too long which broke IPv6
address discovery).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
On Android, the control socket being used may be the socket that is
created when wpa_supplicant is started as a /init.*.rc service. Such a
socket is maintained as a key-value pair in Android's environment.
Closing this control socket would leave wpa_supplicant in a bad state.
When wpa_supplicant re-opens the ctrl_iface socket, it will query the
Android's environment, and will be returned with the same socket
descriptor that has already been closed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The mesh anti-clogging functionality is implemented partially. This
patch fixes to parse anti-clogging request frame and use anti-clogging
token.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
It was possible for some of the SAE test cases (e.g., ap_ft_sae) to fail
if they were run after the sae_groups test case that left the SAE group
configuration to a value that is not enabled by default. Fix this by
clearing sae_groups setting in the couple of test cases that were not
yet doing this.
Signed-off-by: Jouni Malinen <j@w1.fi>
The country code from the current AP needs to be used in
ieee80211_chan_to_freq() to support cases where non-global operating
class table is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).
Signed-off-by: Jouni Malinen <j@w1.fi>
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)
Signed-off-by: Jouni Malinen <j@w1.fi>
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.
Signed-off-by: Jouni Malinen <j@w1.fi>
_next_ns_data could look like it would be used uninitialized in
ieee80211_radiotap_iterator_next() to static analyzers. Avoid
unnecessary reports by explicitly initializing all variables in struct
ieee80211_radiotap_iterator. (CID 62878)
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous version was valid, but apparently too complex for some
static analyzers. Use a local variable for uri_len and explicitly
compare it against the remaining buffer length. (CID 68121)
Signed-off-by: Jouni Malinen <j@w1.fi>