android_external_wpa_supplicant_8/src, branch stable/cm-12.0-YNG3C Unnamed repository; edit this file 'description' to name the repository. P2P: Validate SSID element length before copying it 2015-04-23T04:34:10+00:00 Jouni Malinen jouni@qca.qualcomm.com 2015-04-07T08:32:11+00:00 6f5b05b471d8cba1b522cb7af34e3a356925e787 This fixes a possible memcpy overflow for P2P dev->oper_ssid in p2p_add_device(). The length provided by the peer device (0..255 bytes) was used without proper bounds checking and that could have resulted in arbitrary data of up to 223 bytes being written beyond the end of the dev->oper_ssid[] array (of which about 150 bytes would be beyond the heap allocation) when processing a corrupted management frame for P2P peer discovery purposes. This could result in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution. Thanks to Google security team for reporting this issue and smart hardware research group of Alibaba security team for discovering it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> (cherry picked from commit fdb708a37d8f7f1483e3cd4e8ded974f53fedace) Change-Id: Ibc53ff533f78cfcd7c51fbb5d5494b828f184cc8 
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

(cherry picked from commit fdb708a37d8f7f1483e3cd4e8ded974f53fedace)

Change-Id: Ibc53ff533f78cfcd7c51fbb5d5494b828f184cc8
wpa_supplicant: Force the p2p channels to reuse frequencies used by STA 2015-03-30T15:34:01+00:00 Diogo Ferreira diogo@underdev.org 2015-03-23T13:10:49+00:00 ad050d5c53eb81b00592d37f4e530b082f7b024b In the mediatek platform the performance of p2p connections will degrade significantly if different frequences are used for STA and P2P. Change-Id: I8bd7e4a3f10177c99d273eccb88c8590fcbe3d34 
In the mediatek platform the performance of p2p connections will
degrade significantly if different frequences are used for STA and
P2P.

Change-Id: I8bd7e4a3f10177c99d273eccb88c8590fcbe3d34
Improve subject_match and domain_suffix_match documentation 2015-03-18T06:35:23+00:00 Jouni Malinen j@w1.fi 2015-01-10T22:00:04+00:00 db50417d3ee5b4fd3037a4fce0827455d6982cc2 These were already covered in both README-HS20 for credentials and in header files for developers' documentation, but the copy in wpa_supplicant.conf did not include all the details. In addition, add a clearer note pointing at subject_match not being suitable for suffix matching domain names; domain_suffix_match must be used for that. Signed-off-by: Jouni Malinen <j@w1.fi> Git-repo : git://w1.fi/srv/git/hostap.git Git-commit:394b54732ec9586f96aa91423a2da55806b0adec CRs-Fixed: 786617 Change-Id: I0b0b7e001bcc78a6a3a347b6c23ba38d76a78c58 
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
Git-repo : git://w1.fi/srv/git/hostap.git
Git-commit:394b54732ec9586f96aa91423a2da55806b0adec
CRs-Fixed: 786617

Change-Id: I0b0b7e001bcc78a6a3a347b6c23ba38d76a78c58
nl80211: Ignore Connect failure for the previous association 2015-02-14T11:35:48+00:00 Jithu Jance jithu@broadcom.com 2014-12-03T13:24:40+00:00 370379b257b95f677f1b6eeb4ac00f3ec5f97b16 Suppose there are two APs (AP1 & AP2) and user attempted to connect to AP2 before the previous connection with AP1 could succeed. Now, if the connection event comes for the older AP with failed status, we should just ignore it as the wpa_supplicant state has moved to "ASSOCIATING" with the new AP (AP2). This is a similar to the case where a disconnection event is ignored for a case where local disconnect request can cause the extra event to show up during the next association process following that command. Signed-off-by: Jithu Jance <jithu@broadcom.com> Git-commit: 0d4e3d1d13b2fd28128f10bc7f455034bc1bbcbb Git-repo : git://w1.fi/srv/git/hostap.git Change-Id: If3190b21e0430f181ef342fabf63cd9090fa59b7 CRs-fixed: 771294 
Suppose there are two APs (AP1 & AP2) and user attempted to connect to
AP2 before the previous connection with AP1 could succeed. Now, if the
connection event comes for the older AP with failed status, we should
just ignore it as the wpa_supplicant state has moved to "ASSOCIATING"
with the new AP (AP2).

This is a similar to the case where a disconnection event is ignored for
a case where local disconnect request can cause the extra event to show
up during the next association process following that command.

Signed-off-by: Jithu Jance <jithu@broadcom.com>
Git-commit: 0d4e3d1d13b2fd28128f10bc7f455034bc1bbcbb
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: If3190b21e0430f181ef342fabf63cd9090fa59b7
CRs-fixed: 771294
hostapd: Allow ACS to be offloaded to the driver 2015-02-14T11:35:46+00:00 Peng Xu pxu@qca.qualcomm.com 2014-11-18T18:11:09+00:00 01679afab744f66a3aeddf367d1e2b7958b73483 Using QCA vendor command, allow ACS function to be offloaded to the driver. Once channels are selected, hostapd is notified to perform OBSS operation Conflicts: src/ap/ap_drv_ops.c src/common/qca-vendor.h src/drivers/driver.h src/drivers/driver_common.c src/drivers/driver_nl80211.c Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Git-commit: 16689c7cfc99c66aecbf16eb2f4a8bc941cb5d0f Git-repo : git://w1.fi/srv/git/hostap.git Change-Id: Ib36cdc5b267901ba3e3cc373d722f9fdc5ff50bb CRs-fixed: 752061 
Using QCA vendor command, allow ACS function to be offloaded to the
driver. Once channels are selected, hostapd is notified to perform OBSS
operation

Conflicts:
	src/ap/ap_drv_ops.c
	src/common/qca-vendor.h
	src/drivers/driver.h
	src/drivers/driver_common.c
	src/drivers/driver_nl80211.c

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-commit: 16689c7cfc99c66aecbf16eb2f4a8bc941cb5d0f
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: Ib36cdc5b267901ba3e3cc373d722f9fdc5ff50bb
CRs-fixed: 752061
P2P: Check Invitation Response dialog token match for resend case 2015-02-14T11:35:45+00:00 Sunil Dutt usdutt@qti.qualcomm.com 2014-12-08T09:41:16+00:00 9f26d84d3b96b00c352ebe9682dc2769bb1888ec Commit ac330cfd87397a1a01e697984f3944f427e88dad ('P2P: Reinvite with social operation channel if no common channels') introduced a mechamisn to reinvite a peer during a persistent group reinvocation from a GO with a different operating channel proposal. This mechanism can fail if the inviting device (GO) ends up getting a retransmitted, duplicated Invitation Response frame processed second time while waiting for the response to the retried Invitation Request (using one of the social channels as the operating channel). IEEE 802.11 duplicate frame detection mechanisms are supposed to prevent this type of sequence, but not all drivers support those rules properly for pre-association frames, including P2P Public Action frames. Work around this issue by checking that the dialog token in the Invitation Response frame matches the one from the last Invitation Request if the special invitation retry mechanism is used. This is safer to do now than to enable dialog token matching for all invitation cases. CRs-fixed: 768932 Git-commit: 36b5c3335ad512061d2b39af03bb7e3508209951 Git-repo : git://w1.fi/srv/git/hostap.git Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Change-Id: I131608ccc18597ecf1579e994c41026ec5fd2742 
Commit ac330cfd87397a1a01e697984f3944f427e88dad ('P2P: Reinvite with
social operation channel if no common channels') introduced a mechamisn
to reinvite a peer during a persistent group reinvocation from a GO with
a different operating channel proposal. This mechanism can fail if the
inviting device (GO) ends up getting a retransmitted, duplicated
Invitation Response frame processed second time while waiting for the
response to the retried Invitation Request (using one of the social
channels as the operating channel). IEEE 802.11 duplicate frame
detection mechanisms are supposed to prevent this type of sequence, but
not all drivers support those rules properly for pre-association frames,
including P2P Public Action frames.

Work around this issue by checking that the dialog token in the
Invitation Response frame matches the one from the last Invitation
Request if the special invitation retry mechanism is used. This is safer
to do now than to enable dialog token matching for all invitation cases.

CRs-fixed: 768932
Git-commit: 36b5c3335ad512061d2b39af03bb7e3508209951
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: I131608ccc18597ecf1579e994c41026ec5fd2742
nl80211: Add driver flag to indicate mesh support 2015-02-14T11:35:42+00:00 Bob Copeland me@bobcopeland.com 2014-09-01T04:23:23+00:00 fbe23ec9a59712da3f126bf2b50d1906f1ad2f8a Convert the driver flags variable to u64 since there was no room for more flags. Signed-off-by: Javier Lopez <jlopex@gmail.com> Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Jason Mobarak <x@jason.mobarak.name> Signed-off-by: Bob Copeland <me@bobcopeland.com> Conflicts: src/drivers/driver.h src/drivers/driver_nl80211.c Git-commit: 24bd4e0be56ef0371a71f4749808a44b3aeffe16 Git-repo : git://w1.fi/srv/git/hostap.git Change-Id: Ic4cc033fcc3eea368e32f230f37be96b713d1316 CRs-fixed: 752061 
Convert the driver flags variable to u64 since there was no room for
more flags.

Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>

Conflicts:
	src/drivers/driver.h
	src/drivers/driver_nl80211.c

Git-commit: 24bd4e0be56ef0371a71f4749808a44b3aeffe16
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: Ic4cc033fcc3eea368e32f230f37be96b713d1316
CRs-fixed: 752061
hostapd: Change drv_flags from unsigned int to u64 2015-02-14T11:35:37+00:00 Yanbo Li yanbol@qti.qualcomm.com 2014-11-02T09:46:35+00:00 1492f05d8873ff50a5d95e18cf280c4c028694f2 Some flag already using a bit larger than 32, so extend the hostapd drv_flags type similarly to the earlier wpa_supplicant change to get the full flag content. Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Git-commit: e3a8ad44055d5b453c7f080958137eb718a60b6e Git-repo : git://w1.fi/srv/git/hostap.git Change-Id: I48c71d11a5f7e774c678d95d8fe2e276eda5f05c CRs-fixed: 752061 
Some flag already using a bit larger than 32, so extend the hostapd
drv_flags type similarly to the earlier wpa_supplicant change to get the
full flag content.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-commit: e3a8ad44055d5b453c7f080958137eb718a60b6e
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: I48c71d11a5f7e774c678d95d8fe2e276eda5f05c
CRs-fixed: 752061
eap_proxy: Remove extra bytes in EAP-Response/Identity 2014-12-04T06:37:52+00:00 Bala Krishna Bhamidipati c_bbhami@qti.qualcomm.com 2014-12-03T07:15:41+00:00 98be21929a86b9d4d985928dc7a83245b2bb9f9c Adding size_of wpa_buf to the eap response from the modem is reflecting in extra bytes to the identity and some radius servers are unable to map the identity, further causing a failure. This fix will remove the extra length being added to the response frame. Change-Id: Ie3c8db99b4de5d94491c329ff63adfb48527c1aa CRs-Fixed: 765232 
Adding size_of wpa_buf to the eap response from the modem is
reflecting in extra bytes to the identity and some radius servers
are unable to map the identity, further causing a failure.
This fix will remove the extra length being added to the response
frame.

Change-Id: Ie3c8db99b4de5d94491c329ff63adfb48527c1aa
CRs-Fixed: 765232
P2P: Reinvite with social operation channel if no common channels 2014-12-01T08:11:56+00:00 Rashmi Ramanna c_ramanr@qti.qualcomm.com 2014-11-26T15:53:55+00:00 5331659e57c7aab29f85c30ba7378f2430473ad7 If invitation to reinvoke a persistent group from the GO fails with the peer indicating that there are no common channels, there is no defined means for the peer to indicate which channel could have worked. Since this type of issue with available channels changing over time can happen, try to work around this by retrying invitation using one of the social channels as the operating channel unless a specific operating channel was forced for the group. CRs-fixed: 764464 Git-commit: ac330cfd87397a1a01e697984f3944f427e88dad Git-repo : git://w1.fi/srv/git/hostap.git Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Change-Id: I40106f91e0e7bc3b2dfddcac75c7034a34773e95 
If invitation to reinvoke a persistent group from the GO fails with the
peer indicating that there are no common channels, there is no defined
means for the peer to indicate which channel could have worked. Since
this type of issue with available channels changing over time can
happen, try to work around this by retrying invitation using one of the
social channels as the operating channel unless a specific operating
channel was forced for the group.

CRs-fixed: 764464
Git-commit: ac330cfd87397a1a01e697984f3944f427e88dad
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: I40106f91e0e7bc3b2dfddcac75c7034a34773e95