This adds verification of os_snprintf() result against the maximum
buffer length. These changes were done automatically with spatch
using the following semantic patch:
@@
expression E1,E2,E3;
statement S1;
@@
E1 = os_snprintf(E2, E3, ...);
- if (\( E1 < 0 \| E1 <= 0 \))
+ if (os_snprintf_error(E3, E1))
(
S1
|
{ ... }
)
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the immediate EAPOL authenticator startup was scheduled
without having received EAPOL-Start only for the case where WPA/WPA2 was
enabled. This can be extended to speed up non-WPA/WPA2 cases as well if
the STA includes WPS IE in Association Request frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
Shift right on unsigned char limits the value to 0..63 which is within
bounds for base64_table[]. Anyway, some static analyzers do not seem to
understand that. See if an otherwise unnecessary masking gets rid of
false warnings. (CID 62858)
Signed-off-by: Jouni Malinen <j@w1.fi>
Shift right on unsigned char limits the value to 0..63 which is within
bounds for base64_table[]. Anyway, some static analyzers do not seem to
understand that. See if an otherwise unnecessary masking gets rid of
false warnings. (CID 62858)
Signed-off-by: Jouni Malinen <j@w1.fi>
For some reason, "pos + len > end" is not clear enough, but "len > end -
pos" is recognized. Use that to get rid of a false positive from a
static analyzer (CID 72697).
Signed-off-by: Jouni Malinen <j@w1.fi>
For some reason, the previous version was not understood to be null
terminating the buffer from recv(). It was doing this fine, though. Try
to use a bit more simpler design in hopes of getting static analyzers to
understand this. (CID 72702)
Signed-off-by: Jouni Malinen <j@w1.fi>
This reduced number of unnecessarily duplicated driver interface
callback functions for sending Action frames by using the more generic
send_action() instead of FT specific send_ft_action().
Signed-off-by: Jouni Malinen <j@w1.fi>
If "ADD bss_config=" command failed in driver_init() or
hostapd_setup_interface(), some of the allocated resources were not
freed properly.
Signed-off-by: Jouni Malinen <j@w1.fi>
This helper function had not used the nl80211_set_iface_id() helper, but
there is no reason why it couldn't re-use the same helper as other
places using nl80211_cmd_msg().
Signed-off-by: Jouni Malinen <j@w1.fi>
Use the helper function to replace places that use nlmsg_alloc(),
nl80211_cmd(), and either bss->ifindex or if_nametoindex(bss->ifname).
Signed-off-by: Jouni Malinen <j@w1.fi>
bss->wdev_id_set is set for the non-detdev P2P Device, so
nl80211_cmd_msg() can be used as-is for these cases as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
This removes duplicated code for building nl80211 commands for a BSS.
This commit handles the functions that were already using
nl80211_set_iface_id().
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of more NLA_PUT* macro uses in nl80211 to reduce the
number of functions that depend on the hidden behavior of jumping to the
nla_put_failure label.
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of NLA_PUT* macro use in checking nl80211 capabilities to
reduce the number of functions that depend on the hidden behavior of
jumping to the nla_put_failure label.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a separate pointer and length field instead of trying to copy from a
struct field that has only part of the full buffer available.
(CID 68115)
Signed-off-by: Jouni Malinen <j@w1.fi>
Bounds checking for gd->gtk_len in wpa_supplicant_check_group_cipher()
was apparently too complex for some static analyzers. Use a local
variable and a more explicit validation step to avoid false report.
(CID 62864)
Signed-off-by: Jouni Malinen <j@w1.fi>
Using aes_wrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is not just the single struct member. (CID 68111)
Signed-off-by: Jouni Malinen <j@w1.fi>
Using aes_unwrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is initialized and that the target is not just the single struct member.
In addition, clean up the design to avoid removal of const with a
typecast. (CID 68112, CID 68134, CID 68135, CID 68136)
Signed-off-by: Jouni Malinen <j@w1.fi>
The separate p2p_channels_union_inplace() makes the function easier for
static analyzers to see that the result buffer is always initialized.
(CID 74494)
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 16689c7cfc ('hostapd: Allow ACS to
be offloaded to the driver') used incorrect operator to determine
whether HT40 was configured. Fix that to mask the ht_capab bit
correctly. (CID 77286)
Signed-off-by: Jouni Malinen <j@w1.fi>
This was not really a real issue since bin_clear_free() would not use
the emsk_len argument when emsk is NULL as it would be on the path where
emsk_len has not been initilized. Anyway, it is better to get rid of the
warning.
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant
network configuration parameter erp=1 can now be used to configure the
EAP peer to derive EMSK, rRK, and rIK at the successful completion of an
EAP authentication method. This functionality is not included in the
default build and can be enabled with CONFIG_ERP=y.
If EAP authenticator indicates support for re-authentication protocol,
initiate this with EAP-Initiate/Re-auth and complete protocol when
receiving EAP-Finish/Re-auth.
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.
The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.
Signed-off-by: Jouni Malinen <j@w1.fi>
Suppose there are two APs (AP1 & AP2) and user attempted to connect to
AP2 before the previous connection with AP1 could succeed. Now, if the
connection event comes for the older AP with failed status, we should
just ignore it as the wpa_supplicant state has moved to "ASSOCIATING"
with the new AP (AP2).
This is a similar to the case where a disconnection event is ignored for
a case where local disconnect request can cause the extra event to show
up during the next association process following that command.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
Using QCA vendor command, allow ACS function to be offloaded to the
driver. Once channels are selected, hostapd is notified to perform OBSS
operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds EAP-PAX server and peer method functions for deriving
Session-Id from Method-Id per RFC 4746 and RFC 5247.
Signed-off-by: Jouni Malinen <j@w1.fi>
Now that EMSK derivation is taken into use with ERP, it is better to
make sure the temporary MSK + EMSK buffer does not get left in heap
after use.
Signed-off-by: Jouni Malinen <j@w1.fi>
The comment about library not supporting Session-Id derivation was not
accurate and there is no need to check for master key that is not used
as part of derivation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, it was possible for the loop through the data components to
increment addr/len index at the last position beyond the declared size.
This resulted in reading beyond those arrays. The read values were not
used and as such, this was unlikely to cause noticeable issues, but
anyway, memory checkers can detect this and the correct behavior is to
stop increments before going beyond the arrays since no more bytes will
be processed after this anyway.
Signed-off-by: Jouni Malinen <j@w1.fi>
This flag was left in the STA entry for the short duration after the STA
gets deauthenticated. If the STA sends a Class 2 or 3 frame during that
short time, the AP would not have replied with Deauthentication frame
indicating no association is present.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.
Signed-off-by: Jouni Malinen <j@w1.fi>
