hostapd: update to version 2016-01-15

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48527
This commit is contained in:
Felix Fietkau 2016-01-28 17:19:13 +00:00
parent 705ddc9bb9
commit 924407b253
42 changed files with 243 additions and 945 deletions

View File

@ -7,9 +7,9 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
PKG_VERSION:=2015-03-25
PKG_VERSION:=2016-01-15
PKG_RELEASE:=2
PKG_REV:=8278138e679174b1ec8af7f169c2810a8888e202
PKG_REV:=e15dcf6d1bc2725388555523effca75b1ffab735
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=git://w1.fi/srv/git/hostap.git

View File

@ -1,37 +0,0 @@
From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 7 Apr 2015 11:32:11 +0300
Subject: [PATCH] P2P: Validate SSID element length before copying it
(CVE-2015-1863)
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
src/p2p/p2p.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p,
if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
os_memcpy(dev->interface_addr, addr, ETH_ALEN);
if (msg.ssid &&
+ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
(msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
!= 0)) {

View File

@ -1,36 +0,0 @@
From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Wed, 29 Apr 2015 02:21:53 +0300
Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/wmm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/src/ap/wmm.c
+++ b/src/ap/wmm.c
@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d
return;
}
+ if (left < 0)
+ return; /* not a valid WMM Action frame */
+
/* extract the tspec info element */
if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,

View File

@ -1,49 +0,0 @@
From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 28 Apr 2015 17:08:33 +0300
Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.
This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).
Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/wps/httpread.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/wps/httpread.c b/src/wps/httpread.c
index 2f08f37..d2855e3 100644
--- a/src/wps/httpread.c
+++ b/src/wps/httpread.c
@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
if (!isxdigit(*cbp))
goto bad;
h->chunk_size = strtoul(cbp, NULL, 16);
+ if (h->chunk_size < 0 ||
+ h->chunk_size > h->max_bytes) {
+ wpa_printf(MSG_DEBUG,
+ "httpread: Invalid chunk size %d",
+ h->chunk_size);
+ goto bad;
+ }
/* throw away chunk header
* so we have only real data
*/
--
1.9.1

View File

@ -1,73 +0,0 @@
From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 1 May 2015 16:37:45 +0300
Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit
and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index f2b0926..a629437 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
u16 offset;
u8 *ptr, *scalar = NULL, *element = NULL;
+ size_t prime_len, order_len;
+
+ if (data->state != PWD_Commit_Req) {
+ ret->ignore = TRUE;
+ goto fin;
+ }
+
+ prime_len = BN_num_bytes(data->grp->prime);
+ order_len = BN_num_bytes(data->grp->order);
+
+ if (payload_len != 2 * prime_len + order_len) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
+ (unsigned int) payload_len,
+ (unsigned int) (2 * prime_len + order_len));
+ goto fin;
+ }
if (((data->private_value = BN_new()) == NULL) ||
((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
int offset;
+ if (data->state != PWD_Confirm_Req) {
+ ret->ignore = TRUE;
+ goto fin;
+ }
+
+ if (payload_len != SHA256_MAC_LEN) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
+ (unsigned int) payload_len, SHA256_MAC_LEN);
+ goto fin;
+ }
+
/*
* first build up the ciphersuite which is group | random_function |
* prf
--
1.9.1

View File

@ -1,66 +0,0 @@
From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 1 May 2015 16:40:44 +0300
Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit
and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 66bd5d2..3189105 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
EC_POINT *K = NULL, *point = NULL;
int res = 0;
+ size_t prime_len, order_len;
wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
+ prime_len = BN_num_bytes(data->grp->prime);
+ order_len = BN_num_bytes(data->grp->order);
+
+ if (payload_len != 2 * prime_len + order_len) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
+ (unsigned int) payload_len,
+ (unsigned int) (2 * prime_len + order_len));
+ goto fin;
+ }
+
if (((data->peer_scalar = BN_new()) == NULL) ||
((data->k = BN_new()) == NULL) ||
((cofactor = BN_new()) == NULL) ||
@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
int offset;
+ if (payload_len != SHA256_MAC_LEN) {
+ wpa_printf(MSG_INFO,
+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
+ (unsigned int) payload_len, SHA256_MAC_LEN);
+ goto fin;
+ }
+
/* build up the ciphersuite: group | random_function | prf */
grp = htons(data->group_num);
ptr = (u8 *) &cs;
--
1.9.1

View File

@ -1,52 +0,0 @@
From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 2 May 2015 19:23:04 +0300
Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index a629437..1d2079b 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
* if it's the first fragment there'll be a length field
*/
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+ if (len < 2) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Frame too short to contain Total-Length field");
+ ret->ignore = TRUE;
+ return NULL;
+ }
tot_len = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
"total length = %d", tot_len);
if (tot_len > 15000)
return NULL;
+ if (data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+ ret->ignore = TRUE;
+ return NULL;
+ }
data->inbuf = wpabuf_alloc(tot_len);
if (data->inbuf == NULL) {
wpa_printf(MSG_INFO, "Out of memory to buffer "
--
1.9.1

View File

@ -1,50 +0,0 @@
From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 2 May 2015 19:26:06 +0300
Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_server/eap_server_pwd.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index 3189105..2bfc3c2 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* the first fragment has a total length
*/
if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
+ if (len < 2) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Frame too short to contain Total-Length field");
+ return;
+ }
tot_len = WPA_GET_BE16(pos);
wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
"length = %d", tot_len);
if (tot_len > 15000)
return;
+ if (data->inbuf) {
+ wpa_printf(MSG_DEBUG,
+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
+ return;
+ }
data->inbuf = wpabuf_alloc(tot_len);
if (data->inbuf == NULL) {
wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
--
1.9.1

View File

@ -1,32 +0,0 @@
From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 2 May 2015 19:26:28 +0300
Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 1d2079b..e58b13a 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
/*
* we have output! Do we need to fragment it?
*/
+ lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
len = wpabuf_len(data->outbuf);
if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
--
1.9.1

View File

@ -1,61 +0,0 @@
From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 7 Jul 2015 21:57:28 +0300
Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().
Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.
Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/wps/ndef.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/wps/ndef.c b/src/wps/ndef.c
index 5604b0a..50d018f 100644
--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
if (size < 6)
return -1;
record->payload_length = ntohl(*(u32 *)pos);
+ if (record->payload_length > size - 6)
+ return -1;
pos += sizeof(u32);
}
@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
pos += record->payload_length;
record->total_length = pos - data;
- if (record->total_length > size)
+ if (record->total_length > size ||
+ record->total_length < record->payload_length)
return -1;
return 0;
}
--
1.9.1

View File

@ -1,32 +0,0 @@
From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 25 Oct 2015 15:45:50 +0200
Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
PMF in use
WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
enabled. Verify that PMF is in use before using this field on station
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
wpa_supplicant/wnm_sta.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 954de67..7d79499 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
end = ptr + key_len_total;
wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
+ wpa_msg(wpa_s, MSG_INFO,
+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
+ return;
+ }
+
while (ptr + 1 < end) {
if (ptr + 2 + ptr[1] > end) {
wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "

View File

@ -1,54 +0,0 @@
From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Nov 2015 18:18:17 +0200
Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 1f78544..75ceef1 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
/*
* buffer and ACK the fragment
*/
- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
data->in_frag_pos += len;
if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
return NULL;
}
wpabuf_put_data(data->inbuf, pos, len);
-
+ }
+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
EAP_PWD_HDR_SIZE,
EAP_CODE_RESPONSE, eap_get_id(reqData));
@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
* we're buffering and this is the last fragment
*/
if (data->in_frag_pos) {
- wpabuf_put_data(data->inbuf, pos, len);
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
(int) len);
- data->in_frag_pos += len;
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
}
--
1.9.1

View File

@ -1,51 +0,0 @@
From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Nov 2015 18:24:16 +0200
Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_server/eap_server_pwd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index cb83ff7..9f787ab 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
/*
* the first and all intermediate fragments have the M bit set
*/
- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
"attack detected! (%d+%d > %d)",
@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
}
wpabuf_put_data(data->inbuf, pos, len);
data->in_frag_pos += len;
+ }
+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
(int) len);
return;
@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
* buffering fragments so that's how we know it's the last)
*/
if (data->in_frag_pos) {
- wpabuf_put_data(data->inbuf, pos, len);
- data->in_frag_pos += len;
pos = wpabuf_head_u8(data->inbuf);
len = data->in_frag_pos;
wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
--
1.9.1

View File

@ -1,34 +0,0 @@
From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Nov 2015 19:35:44 +0200
Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/eap_peer/eap_pwd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index 75ceef1..892b590 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
fin:
- bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
+ if (data->grp)
+ bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
BN_clear_free(x);
BN_clear_free(y);
if (data->outbuf == NULL) {
--
1.9.1

View File

@ -1,14 +0,0 @@
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2332,9 +2332,9 @@ void ieee802_1x_notify_pre_auth(struct e
}
-static const char * bool_txt(Boolean bool)
+static const char * bool_txt(Boolean bool_val)
{
- return bool ? "TRUE" : "FALSE";
+ return bool_val ? "TRUE" : "FALSE";
}

View File

@ -8,7 +8,7 @@
#ifdef ANDROID
#include <sys/capability.h>
@@ -155,59 +156,46 @@ int os_gmtime(os_time_t t, struct os_tm
@@ -179,59 +180,46 @@ int os_gmtime(os_time_t t, struct os_tm
return 0;
}

View File

@ -1,6 +1,6 @@
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -252,9 +252,10 @@ void wpa_supplicant_cancel_auth_timeout(
@@ -253,9 +253,10 @@ void wpa_supplicant_cancel_auth_timeout(
*/
void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s)
{

View File

@ -1,6 +1,6 @@
--- a/src/l2_packet/l2_packet_linux.c
+++ b/src/l2_packet/l2_packet_linux.c
@@ -307,8 +307,7 @@ struct l2_packet_data * l2_packet_init_b
@@ -337,8 +337,7 @@ struct l2_packet_data * l2_packet_init_b
l2 = l2_packet_init(br_ifname, own_addr, protocol, rx_callback,
rx_callback_ctx, l2_hdr);
@ -8,5 +8,5 @@
- return NULL;
+ return l2;
#ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR
/*
* The Linux packet socket behavior has changed over the years and there

View File

@ -1,67 +0,0 @@
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
Date: Mon, 11 Jan 2016 19:18:06 +0100
Subject: [PATCH] nl80211: Report disassociated STA / lost peer for the correct
BSS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We shouldn't use drv->ctx as it always points to the first BSS. When
using FullMAC driver with multi-BSS support it resulted in incorrect
treating nl80211 events. I noticed with with brcmfmac and BCM43602.
Before my change I was getting "disassociated" on a wrong interface:
wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
wlan0: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated
With this patch it works as expected:
wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated
This doesn't apply to hostapd dealing with SoftMAC drivers when handling
AP SME & MLME is done it hostapd not the firmware.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
---
src/drivers/driver_nl80211_event.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/src/drivers/driver_nl80211_event.c
+++ b/src/drivers/driver_nl80211_event.c
@@ -1154,6 +1154,7 @@ static void nl80211_new_station_event(st
static void nl80211_del_station_event(struct wpa_driver_nl80211_data *drv,
+ struct i802_bss *bss,
struct nlattr **tb)
{
u8 *addr;
@@ -1166,7 +1167,7 @@ static void nl80211_del_station_event(st
MAC2STR(addr));
if (is_ap_interface(drv->nlmode) && drv->device_ap_sme) {
- drv_event_disassoc(drv->ctx, addr);
+ drv_event_disassoc(bss->ctx, addr);
return;
}
@@ -1175,7 +1176,7 @@ static void nl80211_del_station_event(st
os_memset(&data, 0, sizeof(data));
os_memcpy(data.ibss_peer_lost.peer, addr, ETH_ALEN);
- wpa_supplicant_event(drv->ctx, EVENT_IBSS_PEER_LOST, &data);
+ wpa_supplicant_event(bss->ctx, EVENT_IBSS_PEER_LOST, &data);
}
@@ -1939,7 +1940,7 @@ static void do_process_drv_event(struct
nl80211_new_station_event(drv, bss, tb);
break;
case NL80211_CMD_DEL_STATION:
- nl80211_del_station_event(drv, tb);
+ nl80211_del_station_event(drv, bss, tb);
break;
case NL80211_CMD_SET_REKEY_OFFLOAD:
nl80211_rekey_offload_event(drv, tb);

View File

@ -1,14 +1,14 @@
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -17,6 +17,7 @@ export BINDIR ?= /usr/local/bin/
@@ -32,6 +32,7 @@ export BINDIR ?= /usr/local/bin/
# CFLAGS += -DUSE_KERNEL_HEADERS -I/usr/src/linux/include
-include .config
+-include $(if $(MULTICALL), ../wpa_supplicant/.config)
ifdef CONFIG_TESTING_OPTIONS
CFLAGS += -DCONFIG_TESTING_OPTIONS
@@ -242,10 +243,14 @@ ifdef CONFIG_IEEE80211AC
ifndef CONFIG_NO_GITVER
# Add VERSION_STR postfix for builds from a git repository
@@ -277,10 +278,14 @@ ifdef CONFIG_IEEE80211AC
CFLAGS += -DCONFIG_IEEE80211AC
endif
@ -26,7 +26,7 @@
LIBS += $(DRV_AP_LIBS)
ifdef CONFIG_L2_PACKET
@@ -941,6 +946,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
@@ -1019,6 +1024,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
BCHECK=../src/drivers/build.hostapd
@ -39,7 +39,7 @@
hostapd: $(BCHECK) $(OBJS)
$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
@$(E) " LD " $@
@@ -980,6 +991,12 @@ HOBJS += ../src/crypto/aes-internal.o
@@ -1060,6 +1071,12 @@ HOBJS += ../src/crypto/aes-internal.o
HOBJS += ../src/crypto/aes-internal-enc.o
endif
@ -54,15 +54,15 @@
@$(E) " LD " $@
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -15,6 +15,7 @@ CFLAGS += -I$(abspath ../src)
@@ -27,6 +27,7 @@ CFLAGS += -I$(abspath ../src)
CFLAGS += -I$(abspath ../src/utils)
-include .config
+-include $(if $(MULTICALL),../hostapd/.config)
ifdef CONFIG_TESTING_OPTIONS
CFLAGS += -DCONFIG_TESTING_OPTIONS
@@ -773,6 +774,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
ifndef CONFIG_NO_GITVER
# Add VERSION_STR postfix for builds from a git repository
@@ -794,6 +795,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
CFLAGS += -DCONFIG_DYNAMIC_EAP_METHODS
LIBS += -ldl -rdynamic
endif
@ -73,7 +73,7 @@
endif
ifdef CONFIG_MACSEC
@@ -793,9 +798,11 @@ NEED_EAP_COMMON=y
@@ -814,9 +819,11 @@ NEED_EAP_COMMON=y
NEED_RSN_AUTHENTICATOR=y
CFLAGS += -DCONFIG_AP
OBJS += ap.o
@ -85,7 +85,7 @@
OBJS += ../src/ap/hostapd.o
OBJS += ../src/ap/wpa_auth_glue.o
OBJS += ../src/ap/utils.o
@@ -858,10 +865,18 @@ endif
@@ -879,10 +886,18 @@ endif
ifdef CONFIG_HS20
OBJS += ../src/ap/hs20.o
endif
@ -104,7 +104,7 @@
NEED_AES_WRAP=y
OBJS += ../src/ap/wpa_auth.o
OBJS += ../src/ap/wpa_auth_ie.o
@@ -1603,6 +1618,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
@@ -1657,6 +1672,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
$(OBJS_c) $(OBJS_t) $(OBJS_t2) $(OBJS) $(BCHECK) $(EXTRA_progs): .config
@ -117,7 +117,7 @@
wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
@$(E) " LD " $@
@@ -1694,6 +1715,12 @@ endif
@@ -1757,6 +1778,12 @@ endif
$(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
@$(E) " sed" $<
@ -132,7 +132,7 @@
wpa_cli.exe: wpa_cli
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -4581,8 +4581,8 @@ union wpa_event_data {
@@ -4707,8 +4707,8 @@ union wpa_event_data {
* Driver wrapper code should call this function whenever an event is received
* from the driver.
*/
@ -145,7 +145,7 @@
/*
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -1075,8 +1075,8 @@ static void hostapd_event_dfs_cac_starte
@@ -1122,8 +1122,8 @@ static void hostapd_event_dfs_cac_starte
#endif /* NEED_AP_MLME */
@ -158,7 +158,7 @@
#ifndef CONFIG_NO_STDOUT_DEBUG
--- a/wpa_supplicant/wpa_priv.c
+++ b/wpa_supplicant/wpa_priv.c
@@ -819,8 +819,8 @@ static void wpa_priv_send_ft_response(st
@@ -932,8 +932,8 @@ static void wpa_priv_send_ft_response(st
}
@ -169,7 +169,7 @@
{
struct wpa_priv_interface *iface = ctx;
@@ -961,6 +961,7 @@ int main(int argc, char *argv[])
@@ -1082,6 +1082,7 @@ int main(int argc, char *argv[])
if (os_program_init())
return -1;
@ -179,7 +179,7 @@
for (;;) {
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3138,8 +3138,8 @@ static void wpa_supplicant_event_assoc_a
@@ -3298,8 +3298,8 @@ static void wpa_supplicant_event_assoc_a
}
@ -189,10 +189,19 @@
+ union wpa_event_data *data)
{
struct wpa_supplicant *wpa_s = ctx;
int resched;
@@ -3947,7 +3947,7 @@ void wpa_supplicant_event(void *ctx, enu
#endif /* CONFIG_AP */
break;
case EVENT_ACS_CHANNEL_SELECTED:
-#ifdef CONFIG_ACS
+#if defined(CONFIG_ACS) && defined(CONFIG_AP)
if (!wpa_s->ap_iface)
break;
hostapd_acs_channel_selected(wpa_s->ap_iface->bss[0],
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -4300,6 +4300,9 @@ static void wpa_supplicant_deinit_iface(
@@ -4845,6 +4845,9 @@ static void wpa_supplicant_deinit_iface(
os_free(wpa_s);
}
@ -202,7 +211,7 @@
/**
* wpa_supplicant_add_iface - Add a new network interface
@@ -4526,6 +4529,7 @@ struct wpa_global * wpa_supplicant_init(
@@ -5100,6 +5103,7 @@ struct wpa_global * wpa_supplicant_init(
#ifndef CONFIG_NO_WPA_MSG
wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb);
#endif /* CONFIG_NO_WPA_MSG */
@ -212,7 +221,7 @@
wpa_debug_open_file(params->wpa_debug_file_path);
--- a/hostapd/main.c
+++ b/hostapd/main.c
@@ -511,6 +511,9 @@ static int hostapd_get_ctrl_iface_group(
@@ -513,6 +513,9 @@ static int hostapd_get_ctrl_iface_group(
return 0;
}
@ -222,13 +231,13 @@
#ifdef CONFIG_WPS
static int gen_uuid(const char *txt_addr)
@@ -562,6 +565,7 @@ int main(int argc, char *argv[])
interfaces.global_iface_name = NULL;
@@ -588,6 +591,7 @@ int main(int argc, char *argv[])
interfaces.global_ctrl_sock = -1;
interfaces.global_ctrl_dst = NULL;
+ wpa_supplicant_event = hostapd_wpa_event;
for (;;) {
c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:");
c = getopt(argc, argv, "b:Bde:f:hKP:STtu:vg:G:");
if (c < 0)
--- a/src/drivers/drivers.c
+++ b/src/drivers/drivers.c
@ -244,20 +253,18 @@
#endif /* CONFIG_DRIVER_WEXT */
--- a/wpa_supplicant/eapol_test.c
+++ b/wpa_supplicant/eapol_test.c
@@ -28,8 +28,12 @@
@@ -29,7 +29,10 @@
#include "ctrl_iface.h"
#include "pcsc_funcs.h"
#include "wpas_glue.h"
+#include "drivers/driver.h"
+void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
+ union wpa_event_data *data);
+
struct wpa_driver_ops *wpa_drivers[] = { NULL };
const struct wpa_driver_ops *const wpa_drivers[] = { NULL };
@@ -1203,6 +1207,8 @@ static void usage(void)
@@ -1288,6 +1291,8 @@ static void usage(void)
"option several times.\n");
}
@ -266,7 +273,7 @@
int main(int argc, char *argv[])
{
@@ -1221,6 +1227,7 @@ int main(int argc, char *argv[])
@@ -1308,6 +1313,7 @@ int main(int argc, char *argv[])
if (os_program_init())
return -1;

View File

@ -1,6 +1,6 @@
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2771,6 +2771,10 @@ static int hostapd_config_fill(struct ho
@@ -2852,6 +2852,10 @@ static int hostapd_config_fill(struct ho
}
#endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_IEEE80211N
@ -13,7 +13,7 @@
} else if (os_strcmp(buf, "ht_capab") == 0) {
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -619,6 +619,8 @@ struct hostapd_config {
@@ -639,6 +639,8 @@ struct hostapd_config {
int ht_op_mode_fixed;
u16 ht_capab;
@ -21,21 +21,22 @@
+ int no_ht_coex;
int ieee80211n;
int secondary_channel;
int require_ht;
int no_pri_sec_switch;
--- a/src/ap/hw_features.c
+++ b/src/ap/hw_features.c
@@ -461,7 +461,7 @@ static int ieee80211n_check_40mhz(struct
struct wpa_driver_scan_params params;
@@ -473,7 +473,8 @@ static int ieee80211n_check_40mhz(struct
int ret;
- if (!iface->conf->secondary_channel)
+ if (!iface->conf->secondary_channel || iface->conf->noscan)
return 0; /* HT40 not used */
/* Check that HT40 is used and PRI / SEC switch is allowed */
- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
+ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
+ iface->conf->noscan)
return 0;
hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
--- a/src/ap/ieee802_11_ht.c
+++ b/src/ap/ieee802_11_ht.c
@@ -221,6 +221,9 @@ void hostapd_2040_coex_action(struct hos
@@ -244,6 +244,9 @@ void hostapd_2040_coex_action(struct hos
if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
return;
@ -45,7 +46,7 @@
if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie))
return;
@@ -346,6 +349,9 @@ void ht40_intolerant_add(struct hostapd_
@@ -368,6 +371,9 @@ void ht40_intolerant_add(struct hostapd_
if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
return;

View File

@ -1,6 +1,6 @@
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -3249,7 +3249,7 @@ wpa_supplicant_alloc(struct wpa_supplica
@@ -3449,7 +3449,7 @@ wpa_supplicant_alloc(struct wpa_supplica
if (wpa_s == NULL)
return NULL;
wpa_s->scan_req = INITIAL_SCAN_REQ;

View File

@ -1,6 +1,6 @@
--- a/src/drivers/drivers.mak
+++ b/src/drivers/drivers.mak
@@ -34,7 +34,6 @@ NEED_SME=y
@@ -37,7 +37,6 @@ NEED_SME=y
NEED_AP_MLME=y
NEED_NETLINK=y
NEED_LINUX_IOCTL=y
@ -8,7 +8,7 @@
ifdef CONFIG_LIBNL32
DRV_LIBS += -lnl-3
@@ -116,7 +115,6 @@ DRV_WPA_CFLAGS += -DCONFIG_DRIVER_WEXT
@@ -121,7 +120,6 @@ DRV_WPA_CFLAGS += -DCONFIG_DRIVER_WEXT
CONFIG_WIRELESS_EXTENSION=y
NEED_NETLINK=y
NEED_LINUX_IOCTL=y
@ -16,7 +16,7 @@
endif
ifdef CONFIG_DRIVER_NDIS
@@ -142,7 +140,6 @@ endif
@@ -147,7 +145,6 @@ endif
ifdef CONFIG_WIRELESS_EXTENSION
DRV_WPA_CFLAGS += -DCONFIG_WIRELESS_EXTENSION
DRV_WPA_OBJS += ../src/drivers/driver_wext.o
@ -24,7 +24,7 @@
endif
ifdef NEED_NETLINK
@@ -155,6 +152,7 @@ endif
@@ -160,6 +157,7 @@ endif
ifdef NEED_RFKILL
DRV_OBJS += ../src/drivers/rfkill.o

View File

@ -1,6 +1,6 @@
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -3616,7 +3616,7 @@ static int nl80211_set_channel(struct i8
@@ -3708,7 +3708,7 @@ static int nl80211_set_channel(struct i8
freq->freq, freq->ht_enabled, freq->vht_enabled,
freq->bandwidth, freq->center_freq1, freq->center_freq2);

View File

@ -1,6 +1,6 @@
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -76,6 +76,16 @@ static void hostapd_reload_bss(struct ho
@@ -78,6 +78,16 @@ static void hostapd_reload_bss(struct ho
#endif /* CONFIG_NO_RADIUS */
ssid = &hapd->conf->ssid;
@ -17,7 +17,7 @@
if (!ssid->wpa_psk_set && ssid->wpa_psk && !ssid->wpa_psk->next &&
ssid->wpa_passphrase_set && ssid->wpa_passphrase) {
/*
@@ -175,21 +185,12 @@ int hostapd_reload_config(struct hostapd
@@ -177,21 +187,12 @@ int hostapd_reload_config(struct hostapd
oldconf = hapd->iconf;
iface->conf = newconf;

View File

@ -1,6 +1,6 @@
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -2254,13 +2254,18 @@ wpa_driver_nl80211_finish_drv_init(struc
@@ -2323,13 +2323,18 @@ wpa_driver_nl80211_finish_drv_init(struc
}
@ -22,7 +22,7 @@
return send_and_recv_msgs(drv, msg, NULL, NULL);
}
@@ -2311,7 +2316,7 @@ static void wpa_driver_nl80211_deinit(st
@@ -2380,7 +2385,7 @@ static void wpa_driver_nl80211_deinit(st
nl80211_remove_monitor_interface(drv);
if (is_ap_interface(drv->nlmode))
@ -31,7 +31,7 @@
if (drv->eapol_sock >= 0) {
eloop_unregister_read_sock(drv->eapol_sock);
@@ -4140,8 +4145,7 @@ static void nl80211_teardown_ap(struct i
@@ -4232,8 +4237,7 @@ static void nl80211_teardown_ap(struct i
nl80211_remove_monitor_interface(drv);
else
nl80211_mgmt_unsubscribe(bss, "AP teardown");
@ -41,7 +41,7 @@
}
@@ -6066,8 +6070,6 @@ static int wpa_driver_nl80211_if_remove(
@@ -6164,8 +6168,6 @@ static int wpa_driver_nl80211_if_remove(
} else {
wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
nl80211_teardown_ap(bss);
@ -50,7 +50,7 @@
nl80211_destroy_bss(bss);
if (!bss->added_if)
i802_set_iface_flags(bss, 0);
@@ -6389,8 +6391,7 @@ static int wpa_driver_nl80211_deinit_ap(
@@ -6527,8 +6529,7 @@ static int wpa_driver_nl80211_deinit_ap(
struct wpa_driver_nl80211_data *drv = bss->drv;
if (!is_ap_interface(drv->nlmode))
return -1;
@ -60,7 +60,7 @@
/*
* If the P2P GO interface was dynamically added, then it is
@@ -6409,8 +6410,7 @@ static int wpa_driver_nl80211_stop_ap(vo
@@ -6547,8 +6548,7 @@ static int wpa_driver_nl80211_stop_ap(vo
struct wpa_driver_nl80211_data *drv = bss->drv;
if (!is_ap_interface(drv->nlmode))
return -1;

View File

@ -1,22 +1,22 @@
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -45,6 +45,7 @@
#include "wps/wps.h"
@@ -47,6 +47,7 @@
#include "fst/fst_ctrl_iface.h"
#include "config_file.h"
#include "ctrl_iface.h"
+#include "config_file.h"
struct wpa_ctrl_dst {
@@ -55,6 +56,7 @@ struct wpa_ctrl_dst {
#define HOSTAPD_CLI_DUP_VALUE_MAX_LEN 256
@@ -59,6 +60,7 @@ struct wpa_ctrl_dst {
int errors;
};
+static char *reload_opts = NULL;
static void hostapd_ctrl_iface_send(struct hostapd_data *hapd, int level,
const char *buf, size_t len);
@@ -164,6 +166,61 @@ static int hostapd_ctrl_iface_new_sta(st
enum wpa_msg_type type,
@@ -169,6 +171,61 @@ static int hostapd_ctrl_iface_new_sta(st
return 0;
}
@ -78,7 +78,7 @@
#ifdef CONFIG_IEEE80211W
#ifdef NEED_AP_MLME
@@ -2086,6 +2143,8 @@ static void hostapd_ctrl_iface_receive(i
@@ -2257,6 +2314,8 @@ static int hostapd_ctrl_iface_receive_pr
} else if (os_strncmp(buf, "VENDOR ", 7) == 0) {
reply_len = hostapd_ctrl_iface_vendor(hapd, buf + 7, reply,
reply_size);
@ -89,7 +89,7 @@
#ifdef RADIUS_SERVER
--- a/src/ap/ctrl_iface_ap.c
+++ b/src/ap/ctrl_iface_ap.c
@@ -541,5 +541,11 @@ int hostapd_parse_csa_settings(const cha
@@ -552,5 +552,11 @@ int hostapd_parse_csa_settings(const cha
int hostapd_ctrl_iface_stop_ap(struct hostapd_data *hapd)
{

View File

@ -1,6 +1,6 @@
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -110,6 +110,11 @@ struct wpa_interface {
@@ -99,6 +99,11 @@ struct wpa_interface {
const char *ifname;
/**
@ -12,7 +12,7 @@
* bridge_ifname - Optional bridge interface name
*
* If the driver interface (ifname) is included in a Linux bridge
@@ -442,6 +447,8 @@ struct wpa_supplicant {
@@ -465,6 +470,8 @@ struct wpa_supplicant {
#endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
char bridge_ifname[16];
@ -23,7 +23,7 @@
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -14,6 +14,10 @@ CFLAGS += $(EXTRA_CFLAGS)
@@ -26,6 +26,10 @@ CFLAGS += $(EXTRA_CFLAGS)
CFLAGS += -I$(abspath ../src)
CFLAGS += -I$(abspath ../src/utils)
@ -34,7 +34,7 @@
-include .config
-include $(if $(MULTICALL),../hostapd/.config)
@@ -84,6 +88,8 @@ OBJS_c += ../src/utils/wpa_debug.o
@@ -113,6 +117,8 @@ OBJS_c += ../src/utils/wpa_debug.o
OBJS_c += ../src/utils/common.o
OBJS += wmm_ac.o
@ -45,7 +45,7 @@
CONFIG_OS=win32
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -107,6 +107,55 @@ const char *wpa_supplicant_full_license5
@@ -108,6 +108,55 @@ const char *const wpa_supplicant_full_li
"\n";
#endif /* CONFIG_NO_STDOUT_DEBUG */
@ -73,7 +73,7 @@
+ int ret;
+
+ if (!bss)
+ return;
+ return -1;
+
+ if (bss->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) {
+ int sec = bss->ht_param & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK;
@ -101,7 +101,7 @@
/* Configure default/group WEP keys for static WEP */
int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
{
@@ -743,8 +792,12 @@ void wpa_supplicant_set_state(struct wpa
@@ -783,8 +832,12 @@ void wpa_supplicant_set_state(struct wpa
wpas_p2p_completed(wpa_s);
sme_sched_obss_scan(wpa_s, 1);
@ -114,7 +114,7 @@
wpa_s->new_connection = 1;
wpa_drv_set_operstate(wpa_s, 0);
#ifndef IEEE8021X_EAPOL
@@ -4038,6 +4091,20 @@ static int wpa_supplicant_init_iface(str
@@ -4537,6 +4590,20 @@ static int wpa_supplicant_init_iface(str
sizeof(wpa_s->bridge_ifname));
}
@ -135,7 +135,7 @@
/* RSNA Supplicant Key Management - INITIALIZE */
eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
@@ -4280,6 +4347,11 @@ static void wpa_supplicant_deinit_iface(
@@ -4823,6 +4890,11 @@ static void wpa_supplicant_deinit_iface(
if (terminate)
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_TERMINATING);
@ -157,7 +157,7 @@
#include "drivers/driver.h"
#include "wpa_supplicant_i.h"
#include "config.h"
@@ -277,6 +278,10 @@ static void calculate_update_time(const
@@ -287,6 +288,10 @@ static void calculate_update_time(const
static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
struct os_reltime *fetch_time)
{
@ -168,7 +168,7 @@
dst->flags = src->flags;
os_memcpy(dst->bssid, src->bssid, ETH_ALEN);
dst->freq = src->freq;
@@ -289,6 +294,15 @@ static void wpa_bss_copy_res(struct wpa_
@@ -299,6 +304,15 @@ static void wpa_bss_copy_res(struct wpa_
dst->est_throughput = src->est_throughput;
dst->snr = src->snr;
@ -186,7 +186,7 @@
--- a/wpa_supplicant/main.c
+++ b/wpa_supplicant/main.c
@@ -33,7 +33,7 @@ static void usage(void)
@@ -34,7 +34,7 @@ static void usage(void)
"vW] [-P<pid file>] "
"[-g<global ctrl>] \\\n"
" [-G<group>] \\\n"
@ -195,15 +195,15 @@
"[-p<driver_param>] \\\n"
" [-b<br_ifname>] [-e<entropy file>]"
#ifdef CONFIG_DEBUG_FILE
@@ -84,6 +84,7 @@ static void usage(void)
#endif /* CONFIG_DEBUG_LINUX_TRACING */
printf(" -t = include timestamp in debug messages\n"
@@ -74,6 +74,7 @@ static void usage(void)
" -g = global ctrl_interface\n"
" -G = global ctrl_interface group\n"
" -h = show this help text\n"
+ " -H = connect to a hostapd instance to manage state changes\n"
" -L = show license (BSD)\n"
" -o = override driver parameter for new interfaces\n"
" -O = override ctrl_interface parameter for new interfaces\n"
@@ -175,7 +176,7 @@ int main(int argc, char *argv[])
" -i = interface name\n"
" -I = additional configuration file\n"
" -K = include keys (passwords, etc.) in debug output\n"
@@ -176,7 +177,7 @@ int main(int argc, char *argv[])
for (;;) {
c = getopt(argc, argv,
@ -212,7 +212,7 @@
if (c < 0)
break;
switch (c) {
@@ -222,6 +223,9 @@ int main(int argc, char *argv[])
@@ -223,6 +224,9 @@ int main(int argc, char *argv[])
usage();
exitcode = 0;
goto out;
@ -224,8 +224,8 @@
break;
--- a/wpa_supplicant/bss.h
+++ b/wpa_supplicant/bss.h
@@ -72,6 +72,10 @@ struct wpa_bss {
u8 ssid[32];
@@ -79,6 +79,10 @@ struct wpa_bss {
u8 ssid[SSID_MAX_LEN];
/** Length of SSID */
size_t ssid_len;
+ /** HT caapbilities */

View File

@ -1,6 +1,6 @@
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -168,6 +168,9 @@ endif
@@ -202,6 +202,9 @@ endif
ifdef CONFIG_NO_CTRL_IFACE
CFLAGS += -DCONFIG_NO_CTRL_IFACE
else
@ -12,7 +12,7 @@
endif
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -1953,6 +1953,7 @@ static void hostapd_ctrl_iface_receive(i
@@ -2119,6 +2119,7 @@ static int hostapd_ctrl_iface_receive_pr
reply_size);
} else if (os_strcmp(buf, "STATUS-DRIVER") == 0) {
reply_len = hostapd_drv_status(hapd, reply, reply_size);
@ -20,17 +20,17 @@
} else if (os_strcmp(buf, "MIB") == 0) {
reply_len = ieee802_11_get_mib(hapd, reply, reply_size);
if (reply_len >= 0) {
@@ -1994,6 +1995,7 @@ static void hostapd_ctrl_iface_receive(i
@@ -2160,6 +2161,7 @@ static int hostapd_ctrl_iface_receive_pr
} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
reply_len = hostapd_ctrl_iface_sta_next(hapd, buf + 9, reply,
reply_size);
+#endif
} else if (os_strcmp(buf, "ATTACH") == 0) {
if (hostapd_ctrl_iface_attach(hapd, &from, fromlen))
if (hostapd_ctrl_iface_attach(hapd, from, fromlen))
reply_len = -1;
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -837,6 +837,9 @@ ifdef CONFIG_WNM
@@ -858,6 +858,9 @@ ifdef CONFIG_WNM
OBJS += ../src/ap/wnm_ap.o
endif
ifdef CONFIG_CTRL_IFACE
@ -42,7 +42,7 @@
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -1795,7 +1795,7 @@ static int wpa_supplicant_ctrl_iface_sta
@@ -1858,7 +1858,7 @@ static int wpa_supplicant_ctrl_iface_sta
pos += ret;
}
@ -51,7 +51,7 @@
if (wpa_s->ap_iface) {
pos += ap_ctrl_iface_wpa_get_status(wpa_s, pos,
end - pos,
@@ -7896,6 +7896,7 @@ char * wpa_supplicant_ctrl_iface_process
@@ -8352,6 +8352,7 @@ char * wpa_supplicant_ctrl_iface_process
reply_len = -1;
} else if (os_strncmp(buf, "NOTE ", 5) == 0) {
wpa_printf(MSG_INFO, "NOTE: %s", buf + 5);
@ -59,7 +59,7 @@
} else if (os_strcmp(buf, "MIB") == 0) {
reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size);
if (reply_len >= 0) {
@@ -7903,6 +7904,7 @@ char * wpa_supplicant_ctrl_iface_process
@@ -8359,6 +8360,7 @@ char * wpa_supplicant_ctrl_iface_process
reply + reply_len,
reply_size - reply_len);
}
@ -67,7 +67,7 @@
} else if (os_strncmp(buf, "STATUS", 6) == 0) {
reply_len = wpa_supplicant_ctrl_iface_status(
wpa_s, buf + 6, reply, reply_size);
@@ -8353,6 +8355,7 @@ char * wpa_supplicant_ctrl_iface_process
@@ -8821,6 +8823,7 @@ char * wpa_supplicant_ctrl_iface_process
reply_len = wpa_supplicant_ctrl_iface_bss(
wpa_s, buf + 4, reply, reply_size);
#ifdef CONFIG_AP
@ -75,7 +75,7 @@
} else if (os_strcmp(buf, "STA-FIRST") == 0) {
reply_len = ap_ctrl_iface_sta_first(wpa_s, reply, reply_size);
} else if (os_strncmp(buf, "STA ", 4) == 0) {
@@ -8361,12 +8364,15 @@ char * wpa_supplicant_ctrl_iface_process
@@ -8829,12 +8832,15 @@ char * wpa_supplicant_ctrl_iface_process
} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
reply_len = ap_ctrl_iface_sta_next(wpa_s, buf + 9, reply,
reply_size);
@ -93,7 +93,7 @@
reply_len = -1;
--- a/src/ap/ctrl_iface_ap.c
+++ b/src/ap/ctrl_iface_ap.c
@@ -22,6 +22,7 @@
@@ -23,6 +23,7 @@
#include "ctrl_iface_ap.h"
#include "ap_drv_ops.h"
@ -101,7 +101,7 @@
static int hostapd_get_sta_tx_rx(struct hostapd_data *hapd,
struct sta_info *sta,
@@ -224,6 +225,7 @@ int hostapd_ctrl_iface_sta_next(struct h
@@ -235,6 +236,7 @@ int hostapd_ctrl_iface_sta_next(struct h
return hostapd_ctrl_iface_sta_mib(hapd, sta->next, buf, buflen);
}
@ -111,33 +111,33 @@
static int p2p_manager_disconnect(struct hostapd_data *hapd, u16 stype,
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2337,6 +2337,7 @@ static const char * bool_txt(Boolean boo
return bool_val ? "TRUE" : "FALSE";
@@ -2359,6 +2359,7 @@ static const char * bool_txt(Boolean val
return val ? "TRUE" : "FALSE";
}
+#ifdef CONFIG_CTRL_IFACE_MIB
int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
{
@@ -2512,6 +2513,7 @@ int ieee802_1x_get_mib_sta(struct hostap
@@ -2534,6 +2535,7 @@ int ieee802_1x_get_mib_sta(struct hostap
return len;
}
+#endif
static void ieee802_1x_finished(struct hostapd_data *hapd,
struct sta_info *sta, int success,
#ifdef CONFIG_HS20
static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2999,6 +2999,7 @@ static const char * wpa_bool_txt(int boo
return bool ? "TRUE" : "FALSE";
@@ -3069,6 +3069,7 @@ static const char * wpa_bool_txt(int val
return val ? "TRUE" : "FALSE";
}
+#ifdef CONFIG_CTRL_IFACE_MIB
#define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \
@@ -3143,7 +3144,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
@@ -3213,7 +3214,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
return len;
}
@ -148,7 +148,7 @@
{
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -2032,6 +2032,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
@@ -2108,6 +2108,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
}
@ -157,7 +157,7 @@
#define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \
((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
@@ -2115,6 +2117,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
@@ -2191,6 +2193,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
return (int) len;
}
@ -167,7 +167,7 @@
--- a/wpa_supplicant/ap.c
+++ b/wpa_supplicant/ap.c
@@ -1015,7 +1015,7 @@ int wpas_ap_wps_nfc_report_handover(stru
@@ -1091,7 +1091,7 @@ int wpas_ap_wps_nfc_report_handover(stru
#endif /* CONFIG_WPS */

View File

@ -1,6 +1,6 @@
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -1228,6 +1228,31 @@ u32 wpa_akm_to_suite(int akm)
@@ -1242,6 +1242,31 @@ u32 wpa_akm_to_suite(int akm)
}
@ -32,7 +32,7 @@
int wpa_compare_rsn_ie(int ft_initial_assoc,
const u8 *ie1, size_t ie1len,
const u8 *ie2, size_t ie2len)
@@ -1235,8 +1260,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
@@ -1249,8 +1274,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
if (ie1 == NULL || ie2 == NULL)
return -1;

View File

@ -1,25 +1,22 @@
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -1052,11 +1052,9 @@ int hostapd_init_wps(struct hostapd_data
if (conf->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP))
@@ -352,8 +352,7 @@ static int hapd_wps_reconfig_in_memory(s
bss->wpa_pairwise |= WPA_CIPHER_GCMP;
else
bss->wpa_pairwise |= WPA_CIPHER_CCMP;
- }
- if (cred->encr_type & WPS_ENCR_TKIP)
+ } else if (cred->encr_type & WPS_ENCR_TKIP)
bss->wpa_pairwise |= WPA_CIPHER_TKIP;
bss->rsn_pairwise = bss->wpa_pairwise;
bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
@@ -1073,8 +1072,7 @@ int hostapd_init_wps(struct hostapd_data
if (conf->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) {
wps->encr_types |= WPS_ENCR_AES;
- if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
+ else if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
wps->encr_types_rsn |= WPS_ENCR_AES;
- }
- if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
+ } else if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
wps->encr_types |= WPS_ENCR_TKIP;
- }
-
- if (conf->wpa & WPA_PROTO_WPA) {
+ } else if (conf->wpa & WPA_PROTO_WPA) {
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK)
wps->auth_types |= WPS_AUTH_WPAPSK;
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X)
@@ -1064,7 +1062,7 @@ int hostapd_init_wps(struct hostapd_data
if (conf->wpa_pairwise & WPA_CIPHER_CCMP)
wps->encr_types |= WPS_ENCR_AES;
- if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
+ else if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
wps->encr_types |= WPS_ENCR_TKIP;
}
wps->encr_types_rsn |= WPS_ENCR_TKIP;
}

View File

@ -64,7 +64,7 @@
#ifdef CONFIG_DEBUG_FILE
static char *last_path = NULL;
#endif /* CONFIG_DEBUG_FILE */
@@ -602,7 +576,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
@@ -604,7 +578,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
}
@ -73,7 +73,7 @@
{
va_list ap;
char *buf;
@@ -640,7 +614,7 @@ void wpa_msg(void *ctx, int level, const
@@ -642,7 +616,7 @@ void wpa_msg(void *ctx, int level, const
}
@ -183,7 +183,7 @@
/*
* wpa_dbg() behaves like wpa_msg(), but it can be removed from build to reduce
@@ -181,7 +222,12 @@ void wpa_hexdump_ascii_key(int level, co
@@ -182,7 +223,12 @@ void wpa_hexdump_ascii_key(int level, co
*
* Note: New line '\n' is added to the end of the text when printing to stdout.
*/
@ -197,7 +197,7 @@
/**
* wpa_msg_ctrl - Conditional printf for ctrl_iface monitors
@@ -195,8 +241,13 @@ void wpa_msg(void *ctx, int level, const
@@ -196,8 +242,13 @@ void wpa_msg(void *ctx, int level, const
* attached ctrl_iface monitors. In other words, it can be used for frequent
* events that do not need to be sent to syslog.
*/

View File

@ -8,16 +8,16 @@
#include "crypto/random.h"
#include "crypto/tls.h"
#include "common/version.h"
@@ -567,7 +568,7 @@ int main(int argc, char *argv[])
@@ -593,7 +594,7 @@ int main(int argc, char *argv[])
wpa_supplicant_event = hostapd_wpa_event;
for (;;) {
- c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:");
+ c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:g:G:v::");
- c = getopt(argc, argv, "b:Bde:f:hKP:STtu:vg:G:");
+ c = getopt(argc, argv, "b:Bde:f:hKP:STtu:g:G:v::");
if (c < 0)
break;
switch (c) {
@@ -604,6 +605,8 @@ int main(int argc, char *argv[])
@@ -630,6 +631,8 @@ int main(int argc, char *argv[])
break;
#endif /* CONFIG_DEBUG_LINUX_TRACING */
case 'v':
@ -33,10 +33,10 @@
#include "common.h"
+#include "build_features.h"
#include "fst/fst.h"
#include "wpa_supplicant_i.h"
#include "driver_i.h"
#include "p2p_supplicant.h"
@@ -176,7 +177,7 @@ int main(int argc, char *argv[])
@@ -177,7 +178,7 @@ int main(int argc, char *argv[])
for (;;) {
c = getopt(argc, argv,
@ -45,7 +45,7 @@
if (c < 0)
break;
switch (c) {
@@ -279,8 +280,12 @@ int main(int argc, char *argv[])
@@ -280,8 +281,12 @@ int main(int argc, char *argv[])
break;
#endif /* CONFIG_DBUS */
case 'v':

View File

@ -1,6 +1,6 @@
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -67,7 +67,6 @@ static const char *commands_help =
@@ -68,7 +68,6 @@ static const char *const commands_help =
#ifdef CONFIG_IEEE80211W
" sa_query <addr> send SA Query to a station\n"
#endif /* CONFIG_IEEE80211W */
@ -8,7 +8,7 @@
" wps_pin <uuid> <pin> [timeout] [addr] add WPS Enrollee PIN\n"
" wps_check_pin <PIN> verify PIN checksum\n"
" wps_pbc indicate button pushed to initiate PBC\n"
@@ -80,7 +79,6 @@ static const char *commands_help =
@@ -81,7 +80,6 @@ static const char *const commands_help =
" wps_ap_pin <cmd> [params..] enable/disable AP PIN\n"
" wps_config <SSID> <auth> <encr> <key> configure AP\n"
" wps_get_status show current WPS status\n"
@ -16,7 +16,7 @@
" get_config show current configuration\n"
" help show this usage help\n"
" interface [ifname] show interfaces/select interface\n"
@@ -353,7 +351,6 @@ static int hostapd_cli_cmd_sa_query(stru
@@ -364,7 +362,6 @@ static int hostapd_cli_cmd_sa_query(stru
#endif /* CONFIG_IEEE80211W */
@ -24,7 +24,7 @@
static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
char *argv[])
{
@@ -579,7 +576,6 @@ static int hostapd_cli_cmd_wps_config(st
@@ -590,7 +587,6 @@ static int hostapd_cli_cmd_wps_config(st
ssid_hex, argv[1]);
return wpa_ctrl_command(ctrl, buf);
}
@ -32,7 +32,7 @@
static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
@@ -1027,7 +1023,6 @@ static struct hostapd_cli_cmd hostapd_cl
@@ -1086,7 +1082,6 @@ static const struct hostapd_cli_cmd host
#ifdef CONFIG_IEEE80211W
{ "sa_query", hostapd_cli_cmd_sa_query },
#endif /* CONFIG_IEEE80211W */
@ -40,7 +40,7 @@
{ "wps_pin", hostapd_cli_cmd_wps_pin },
{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin },
{ "wps_pbc", hostapd_cli_cmd_wps_pbc },
@@ -1041,7 +1036,6 @@ static struct hostapd_cli_cmd hostapd_cl
@@ -1100,7 +1095,6 @@ static const struct hostapd_cli_cmd host
{ "wps_ap_pin", hostapd_cli_cmd_wps_ap_pin },
{ "wps_config", hostapd_cli_cmd_wps_config },
{ "wps_get_status", hostapd_cli_cmd_wps_get_status },

View File

@ -1,13 +1,12 @@
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -26,6 +26,10 @@
@@ -25,6 +25,9 @@
#include <cutils/properties.h>
#endif /* ANDROID */
+#ifndef CONFIG_P2P
+#define CONFIG_P2P
+#endif
+
static const char *wpa_cli_version =
static const char *const wpa_cli_version =
"wpa_cli v" VERSION_STR "\n"
"Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors";

View File

@ -1,13 +0,0 @@
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -664,6 +664,10 @@ void handle_probe_req(struct hostapd_dat
return;
}
+ if (!sta && hapd->num_sta >= hapd->conf->max_num_sta)
+ wpa_printf(MSG_MSGDUMP, "Probe Request from " MACSTR " ignored,"
+ " too many connected stations.", MAC2STR(mgmt->sa));
+
#ifdef CONFIG_INTERWORKING
if (hapd->conf->interworking &&
elems.interworking && elems.interworking_len >= 1) {

View File

@ -1,6 +1,6 @@
--- a/hostapd/main.c
+++ b/hostapd/main.c
@@ -36,6 +36,8 @@ struct hapd_global {
@@ -37,6 +37,8 @@ struct hapd_global {
};
static struct hapd_global global;
@ -9,7 +9,7 @@
#ifndef CONFIG_NO_HOSTAPD_LOGGER
@@ -142,6 +144,14 @@ static void hostapd_logger_cb(void *ctx,
@@ -143,6 +145,14 @@ static void hostapd_logger_cb(void *ctx,
}
#endif /* CONFIG_NO_HOSTAPD_LOGGER */
@ -24,7 +24,7 @@
/**
* hostapd_driver_init - Preparate driver interface
@@ -160,6 +170,8 @@ static int hostapd_driver_init(struct ho
@@ -161,6 +171,8 @@ static int hostapd_driver_init(struct ho
return -1;
}
@ -33,7 +33,7 @@
/* Initialize the driver interface */
if (!(b[0] | b[1] | b[2] | b[3] | b[4] | b[5]))
b = NULL;
@@ -381,8 +393,6 @@ static void hostapd_global_deinit(const
@@ -382,8 +394,6 @@ static void hostapd_global_deinit(const
#endif /* CONFIG_NATIVE_WINDOWS */
eap_server_unregister_methods();
@ -42,7 +42,7 @@
}
@@ -408,11 +418,6 @@ static int hostapd_global_run(struct hap
@@ -409,11 +419,6 @@ static int hostapd_global_run(struct hap
}
#endif /* EAP_SERVER_TNC */
@ -54,7 +54,7 @@
eloop_run();
return 0;
@@ -542,8 +547,7 @@ int main(int argc, char *argv[])
@@ -566,8 +571,7 @@ int main(int argc, char *argv[])
struct hapd_interfaces interfaces;
int ret = 1;
size_t i, j;

View File

@ -20,9 +20,9 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
+#include "drivers/nl80211_copy.h"
#include "common/defs.h"
#include "common/ieee802_11_defs.h"
#include "utils/list.h"
@@ -538,6 +539,9 @@ struct wpa_driver_associate_params {
@@ -570,6 +571,9 @@ struct wpa_driver_associate_params {
* responsible for selecting with which BSS to associate. */
const u8 *bssid;
@ -34,15 +34,15 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
*
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -15,6 +15,7 @@
#include "rsn_supp/wpa.h"
@@ -16,6 +16,7 @@
#include "eap_peer/eap.h"
#include "p2p/p2p.h"
#include "fst/fst.h"
+#include "drivers/nl80211_copy.h"
#include "config.h"
@@ -1722,6 +1723,97 @@ static char * wpa_config_write_mesh_basi
@@ -1742,6 +1743,97 @@ static char * wpa_config_write_mesh_basi
#endif /* CONFIG_MESH */
@ -140,7 +140,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
/* Helper macros for network block parser */
#ifdef OFFSET
@@ -1947,6 +2039,9 @@ static const struct parse_data ssid_fiel
@@ -1973,6 +2065,9 @@ static const struct parse_data ssid_fiel
{ INT(ap_max_inactivity) },
{ INT(dtim_period) },
{ INT(beacon_int) },
@ -158,9 +158,9 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
#include "eap_peer/eap_config.h"
+#include "drivers/nl80211_copy.h"
#define MAX_SSID_LEN 32
@@ -675,6 +676,9 @@ struct wpa_ssid {
#define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
@@ -698,6 +699,9 @@ struct wpa_ssid {
*/
void *parent_cred;
@ -172,7 +172,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
* macsec_policy - Determines the policy for MACsec secure session
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2266,6 +2266,13 @@ static void wpas_start_assoc_cb(struct w
@@ -2421,6 +2421,13 @@ static void wpas_start_assoc_cb(struct w
params.beacon_int = ssid->beacon_int;
else
params.beacon_int = wpa_s->conf->beacon_int;

View File

@ -10,7 +10,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -4398,7 +4398,7 @@ static int wpa_driver_nl80211_ibss(struc
@@ -4491,7 +4491,7 @@ static int wpa_driver_nl80211_ibss(struc
struct wpa_driver_associate_params *params)
{
struct nl_msg *msg;
@ -19,7 +19,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
int count = 0;
wpa_printf(MSG_DEBUG, "nl80211: Join IBSS (ifindex=%d)", drv->ifindex);
@@ -4425,6 +4425,37 @@ retry:
@@ -4518,6 +4518,37 @@ retry:
nl80211_put_beacon_int(msg, params->beacon_int))
goto fail;

View File

@ -16,7 +16,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -541,6 +541,8 @@ struct wpa_driver_associate_params {
@@ -573,6 +573,8 @@ struct wpa_driver_associate_params {
unsigned char rates[NL80211_MAX_SUPP_RATES];
int mcast_rate;
@ -27,7 +27,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* bssid_hint - BSSID of a proposed AP
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -4456,6 +4456,22 @@ retry:
@@ -4549,6 +4549,22 @@ retry:
nla_put_u32(msg, NL80211_ATTR_MCAST_RATE, params->mcast_rate);
}
@ -52,7 +52,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
goto fail;
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1754,6 +1754,71 @@ static char * wpa_config_write_mcast_rat
@@ -1774,6 +1774,71 @@ static char * wpa_config_write_mcast_rat
}
#endif /* NO_CONFIG_WRITE */
@ -124,7 +124,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
static int wpa_config_parse_rates(const struct parse_data *data,
struct wpa_ssid *ssid, int line,
const char *value)
@@ -2042,6 +2107,7 @@ static const struct parse_data ssid_fiel
@@ -2068,6 +2133,7 @@ static const struct parse_data ssid_fiel
{ INT_RANGE(fixed_freq, 0, 1) },
{ FUNC(rates) },
{ FUNC(mcast_rate) },
@ -134,7 +134,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
#endif /* CONFIG_MACSEC */
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -678,6 +678,8 @@ struct wpa_ssid {
@@ -701,6 +701,8 @@ struct wpa_ssid {
unsigned char rates[NL80211_MAX_SUPP_RATES];
double mcast_rate;
@ -145,7 +145,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
/**
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2273,6 +2273,8 @@ static void wpas_start_assoc_cb(struct w
@@ -2428,6 +2428,8 @@ static void wpas_start_assoc_cb(struct w
i++;
}
params.mcast_rate = ssid->mcast_rate;

View File

@ -1,11 +0,0 @@
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -179,7 +179,7 @@ struct sta_info {
* AP_DISASSOC_DELAY seconds. Similarly, the station will be deauthenticated
* after AP_DEAUTH_DELAY seconds has passed after disassociation. */
#define AP_MAX_INACTIVITY (5 * 60)
-#define AP_DISASSOC_DELAY (1)
+#define AP_DISASSOC_DELAY (3)
#define AP_DEAUTH_DELAY (1)
/* Number of seconds to keep STA entry with Authenticated flag after it has
* been disassociated. */

View File

@ -1,6 +1,6 @@
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -121,6 +121,11 @@ OBJS += ../src/common/hw_features_common
@@ -155,6 +155,11 @@ OBJS += ../src/common/hw_features_common
OBJS += ../src/eapol_auth/eapol_auth_sm.o
@ -22,7 +22,7 @@
struct wpa_ctrl_dst;
struct radius_server_data;
@@ -103,6 +104,7 @@ struct hostapd_data {
@@ -107,6 +108,7 @@ struct hostapd_data {
struct hostapd_iface *iface;
struct hostapd_config *iconf;
struct hostapd_bss_config *conf;
@ -30,7 +30,7 @@
int interface_added; /* virtual interface added for this BSS */
unsigned int started:1;
unsigned int disabled:1;
@@ -286,6 +288,8 @@ struct hostapd_iface {
@@ -299,6 +301,8 @@ struct hostapd_iface {
struct hostapd_config *conf;
char phy[16]; /* Name of the PHY (radio) */
@ -41,7 +41,7 @@
HAPD_IFACE_DISABLED,
--- /dev/null
+++ b/src/ap/ubus.c
@@ -0,0 +1,511 @@
@@ -0,0 +1,536 @@
+/*
+ * hostapd / ubus support
+ * Copyright (c) 2013, Felix Fietkau <nbd@openwrt.org>
@ -58,6 +58,8 @@
+#include "wps_hostapd.h"
+#include "sta_info.h"
+#include "ubus.h"
+#include "ap_drv_ops.h"
+#include "beacon.h"
+
+static struct ubus_context *ctx;
+static struct blob_buf b;
@ -417,6 +419,10 @@
+{
+ struct blob_attr *tb[__VENDOR_ELEMENTS_MAX];
+ struct hostapd_data *hapd = get_hapd_from_object(obj);
+ struct hostapd_bss_config *bss = hapd->conf;
+ struct wpabuf *elems;
+ const char *pos;
+ size_t len;
+
+ blobmsg_parse(ve_policy, __VENDOR_ELEMENTS_MAX, tb,
+ blob_data(msg), blob_len(msg));
@ -424,10 +430,29 @@
+ if (!tb[VENDOR_ELEMENTS])
+ return UBUS_STATUS_INVALID_ARGUMENT;
+
+ const char *vendor_elements = blobmsg_data(tb[VENDOR_ELEMENTS]);
+ if (hostapd_set_iface(hapd->iconf, hapd->conf, "vendor_elements",
+ vendor_elements) != 0)
+ return UBUS_STATUS_NOT_SUPPORTED;
+ pos = blobmsg_data(tb[VENDOR_ELEMENTS]);
+ len = os_strlen(pos);
+ if (len & 0x01)
+ return UBUS_STATUS_INVALID_ARGUMENT;
+
+ len /= 2;
+ if (len == 0) {
+ wpabuf_free(bss->vendor_elements);
+ bss->vendor_elements = NULL;
+ return 0;
+ }
+
+ elems = wpabuf_alloc(len);
+ if (elems == NULL)
+ return 1;
+
+ if (hexstr2bin(pos, wpabuf_put(elems, len), len)) {
+ wpabuf_free(elems);
+ return UBUS_STATUS_INVALID_ARGUMENT;
+ }
+
+ wpabuf_free(bss->vendor_elements);
+ bss->vendor_elements = elems;
+
+ /* update beacons if vendor elements were set successfully */
+ if (ieee802_11_update_beacons(hapd->iface) != 0)
@ -636,7 +661,7 @@
+#endif
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -277,6 +277,7 @@ static void hostapd_free_hapd_data(struc
@@ -280,6 +280,7 @@ static void hostapd_free_hapd_data(struc
hapd->started = 0;
wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
@ -644,7 +669,7 @@
iapp_deinit(hapd->iapp);
hapd->iapp = NULL;
accounting_deinit(hapd);
@@ -1098,6 +1099,8 @@ static int hostapd_setup_bss(struct host
@@ -1118,6 +1119,8 @@ static int hostapd_setup_bss(struct host
if (hapd->driver && hapd->driver->set_operstate)
hapd->driver->set_operstate(hapd->drv_priv, 1);
@ -653,7 +678,7 @@
return 0;
}
@@ -1384,6 +1387,7 @@ int hostapd_setup_interface_complete(str
@@ -1523,6 +1526,7 @@ static int hostapd_setup_interface_compl
if (err)
goto fail;
@ -661,15 +686,15 @@
wpa_printf(MSG_DEBUG, "Completing interface initialization");
if (iface->conf->channel) {
#ifdef NEED_AP_MLME
@@ -1544,6 +1548,7 @@ dfs_offload:
@@ -1700,6 +1704,7 @@ dfs_offload:
fail:
wpa_printf(MSG_ERROR, "Interface initialization failed");
+ hostapd_ubus_free_iface(iface);
hostapd_set_state(iface, HAPD_IFACE_DISABLED);
wpa_msg(hapd->msg_ctx, MSG_INFO, AP_EVENT_DISABLED);
if (iface->interfaces && iface->interfaces->terminate_on_error)
@@ -1873,6 +1878,7 @@ void hostapd_interface_deinit_free(struc
#ifdef CONFIG_FST
@@ -2125,6 +2130,7 @@ void hostapd_interface_deinit_free(struc
(unsigned int) iface->conf->num_bss);
driver = iface->bss[0]->driver;
drv_priv = iface->bss[0]->drv_priv;
@ -679,7 +704,7 @@
__func__, driver, drv_priv);
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -881,7 +881,8 @@ int auth_sae_init_committed(struct hosta
@@ -877,7 +877,8 @@ int auth_sae_init_committed(struct hosta
static void handle_auth(struct hostapd_data *hapd,
@ -689,7 +714,7 @@
{
u16 auth_alg, auth_transaction, status_code;
u16 resp = WLAN_STATUS_SUCCESS;
@@ -897,6 +898,11 @@ static void handle_auth(struct hostapd_d
@@ -893,6 +894,11 @@ static void handle_auth(struct hostapd_d
char *identity = NULL;
char *radius_cui = NULL;
u16 seq_ctrl;
@ -701,7 +726,7 @@
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
@@ -983,6 +989,14 @@ static void handle_auth(struct hostapd_d
@@ -1044,6 +1050,14 @@ static void handle_auth(struct hostapd_d
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto fail;
}
@ -716,7 +741,7 @@
if (res == HOSTAPD_ACL_PENDING) {
wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
" waiting for an external authentication",
@@ -1694,13 +1708,18 @@ static void send_assoc_resp(struct hosta
@@ -1776,13 +1790,18 @@ static void send_assoc_resp(struct hosta
static void handle_assoc(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len,
@ -736,7 +761,7 @@
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) {
@@ -1820,6 +1839,13 @@ static void handle_assoc(struct hostapd_
@@ -1902,6 +1921,13 @@ static void handle_assoc(struct hostapd_
goto fail;
}
@ -750,7 +775,7 @@
sta->capability = capab_info;
sta->listen_interval = listen_interval;
@@ -2236,7 +2262,7 @@ int ieee802_11_mgmt(struct hostapd_data
@@ -2328,7 +2354,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@ -759,7 +784,7 @@
return 1;
}
@@ -2251,17 +2277,17 @@ int ieee802_11_mgmt(struct hostapd_data
@@ -2346,17 +2372,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) {
case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth");
@ -782,7 +807,7 @@
case WLAN_FC_STYPE_DISASSOC:
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -542,7 +542,7 @@ static enum ssid_match_result ssid_match
@@ -667,7 +667,7 @@ sta_track_seen_on(struct hostapd_iface *
void handle_probe_req(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len,
@ -791,13 +816,14 @@
{
u8 *resp;
struct ieee802_11_elems elems;
@@ -550,8 +550,14 @@ void handle_probe_req(struct hostapd_dat
size_t ie_len;
struct sta_info *sta = NULL;
@@ -676,9 +676,15 @@ void handle_probe_req(struct hostapd_dat
size_t i, resp_len;
+ int ssi_signal = fi->ssi_signal;
int noack;
enum ssid_match_result res;
+ int ssi_signal = fi->ssi_signal;
int ret;
u16 csa_offs[2];
size_t csa_offs_len;
+ struct hostapd_ubus_request req = {
+ .type = HOSTAPD_UBUS_PROBE_REQ,
+ .mgmt_frame = mgmt,
@ -806,7 +832,7 @@
ie = mgmt->u.probe_req.variable;
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req))
@@ -710,6 +716,12 @@ void handle_probe_req(struct hostapd_dat
@@ -830,6 +836,12 @@ void handle_probe_req(struct hostapd_dat
}
#endif /* CONFIG_P2P */
@ -832,7 +858,7 @@
int ieee802_11_update_beacons(struct hostapd_iface *iface);
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -49,6 +49,10 @@ int hostapd_notif_assoc(struct hostapd_d
@@ -51,6 +51,10 @@ int hostapd_notif_assoc(struct hostapd_d
u16 reason = WLAN_REASON_UNSPECIFIED;
u16 status = WLAN_STATUS_SUCCESS;
const u8 *p2p_dev_addr = NULL;
@ -843,9 +869,9 @@
if (addr == NULL) {
/*
@@ -113,6 +117,12 @@ int hostapd_notif_assoc(struct hostapd_d
@@ -123,6 +127,12 @@ int hostapd_notif_assoc(struct hostapd_d
goto fail;
}
sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
+ if (hostapd_ubus_handle_event(hapd, &req)) {
+ wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",