Merge tag 'android-6.0.1_r3' into 601r3

Android 6.0.1 release 3

* tag 'android-6.0.1_r3':
  RSN: Stop connection attempt on apparent PMK mismatch
  Throttle control interface event message bursts
  Add wpa_supplicant EVENT_TEST control interface command
  hostapd: Global control interface notifications
  Add debug prints for wpa_supplicant ctrl_iface socket send operations
  Update AP WPA/RSN IE on all associations if driver can select BSS

Conflicts:
	wpa_supplicant/ctrl_iface_unix.c

Change-Id: I8c5a51afff761112ba36ae21b94fd21f07d4c18a

3 files changed, 302 insertions, 11 deletions

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 38cbce63..2d4d8b80 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -249,6 +249,17 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
 					"RSN: the new PMK matches with the "
 					"PMKID");
 				abort_cached = 0;
+			} else if (sa && !sm->cur_pmksa && pmkid) {
+				/*
+				 * It looks like the authentication server
+				 * derived mismatching MSK. This should not
+				 * really happen, but bugs happen.. There is not
+				 * much we can do here without knowing what
+				 * exactly caused the server to misbehave.
+				 */
+				wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
+					"RSN: PMKID mismatch - authentication server may have derived different MSK?!");
+				return -1;
 			}
 
 			if (!sm->cur_pmksa)
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index e4c932b0..9b0d20b5 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -7566,6 +7566,33 @@ static int wpas_ctrl_get_alloc_fail(struct wpa_supplicant *wpa_s,
 #endif /* WPA_TRACE_BFD */
 }
 
+
+static void wpas_ctrl_event_test_cb(void *eloop_ctx, void *timeout_ctx)
+{
+	struct wpa_supplicant *wpa_s = eloop_ctx;
+	int i, count = (intptr_t) timeout_ctx;
+
+	wpa_printf(MSG_DEBUG, "TEST: Send %d control interface event messages",
+		   count);
+	for (i = 0; i < count; i++) {
+		wpa_msg_ctrl(wpa_s, MSG_INFO, "TEST-EVENT-MESSAGE %d/%d",
+			     i + 1, count);
+	}
+}
+
+
+static int wpas_ctrl_event_test(struct wpa_supplicant *wpa_s, const char *cmd)
+{
+	int count;
+
+	count = atoi(cmd);
+	if (count <= 0)
+		return -1;
+
+	return eloop_register_timeout(0, 0, wpas_ctrl_event_test_cb, wpa_s,
+				      (void *) (intptr_t) count);
+}
+
 #endif /* CONFIG_TESTING_OPTIONS */
 
 
@@ -8595,6 +8622,9 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
 			reply_len = -1;
 	} else if (os_strcmp(buf, "GET_ALLOC_FAIL") == 0) {
 		reply_len = wpas_ctrl_get_alloc_fail(wpa_s, reply, reply_size);
+	} else if (os_strncmp(buf, "EVENT_TEST ", 11) == 0) {
+		if (wpas_ctrl_event_test(wpa_s, buf + 11) < 0)
+			reply_len = -1;
 #endif /* CONFIG_TESTING_OPTIONS */
 	} else if (os_strncmp(buf, "VENDOR_ELEM_ADD ", 16) == 0) {
 		if (wpas_ctrl_vendor_elem_add(wpa_s, buf + 16) < 0)
diff --git a/wpa_supplicant/ctrl_iface_unix.c b/wpa_supplicant/ctrl_iface_unix.c
index 5b48cf94..21de6219 100644
--- a/wpa_supplicant/ctrl_iface_unix.c
+++ b/wpa_supplicant/ctrl_iface_unix.c
@@ -13,6 +13,10 @@
 #include <stddef.h>
 #include <unistd.h>
 #include <fcntl.h>
+#ifdef __linux__
+#include <sys/ioctl.h>
+#include <linux/sockios.h>
+#endif /* __linux__ */
 #ifdef ANDROID
 #include <cutils/sockets.h>
 #endif /* ANDROID */
@@ -48,6 +52,8 @@ struct ctrl_iface_priv {
 	int sock;
 	struct dl_list ctrl_dst;
 	int android_control_socket;
+	struct dl_list msg_queue;
+	unsigned int throttle_count;
 };
 
 
@@ -56,6 +62,17 @@ struct ctrl_iface_global_priv {
 	int sock;
 	struct dl_list ctrl_dst;
 	int android_control_socket;
+	struct dl_list msg_queue;
+	unsigned int throttle_count;
+};
+
+struct ctrl_iface_msg {
+	struct dl_list list;
+	struct wpa_supplicant *wpa_s;
+	int level;
+	enum wpa_msg_type type;
+	const char *txt;
+	size_t len;
 };
 
 
@@ -72,6 +89,32 @@ static int wpas_ctrl_iface_global_reinit(struct wpa_global *global,
 					 struct ctrl_iface_global_priv *priv);
 
 
+static void wpas_ctrl_sock_debug(const char *title, int sock, const char *buf,
+				 size_t len)
+{
+#ifdef __linux__
+	socklen_t optlen;
+	int sndbuf, outq;
+	int level = MSG_DEBUG;
+
+	if (len >= 5 && os_strncmp(buf, "PONG\n", 5) == 0)
+		level = MSG_EXCESSIVE;
+
+	optlen = sizeof(sndbuf);
+	sndbuf = 0;
+	if (getsockopt(sock, SOL_SOCKET, SO_SNDBUF, &sndbuf, &optlen) < 0)
+		sndbuf = -1;
+
+	if (ioctl(sock, SIOCOUTQ, &outq) < 0)
+		outq = -1;
+
+	wpa_printf(level,
+		   "CTRL-DEBUG: %s: sock=%d sndbuf=%d outq=%d send_len=%d",
+		   title, sock, sndbuf, outq, (int) len);
+#endif /* __linux__ */
+}
+
+
 static int wpa_supplicant_ctrl_iface_attach(struct dl_list *ctrl_dst,
 					    struct sockaddr_un *from,
 					    socklen_t fromlen, int global)
@@ -215,6 +258,8 @@ static void wpa_supplicant_ctrl_iface_receive(int sock, void *eloop_ctx,
 	}
 
 	if (reply) {
+		wpas_ctrl_sock_debug("ctrl_sock-sendto", sock, reply,
+				     reply_len);
 		if (sendto(sock, reply, reply_len, 0, (struct sockaddr *) &from,
 			   fromlen) < 0) {
 			int _errno = errno;
@@ -302,33 +347,209 @@ static char * wpa_supplicant_ctrl_iface_path(struct wpa_supplicant *wpa_s)
 }
 
 
+static int wpas_ctrl_iface_throttle(int sock)
+{
+#ifdef __linux__
+	socklen_t optlen;
+	int sndbuf, outq;
+
+	optlen = sizeof(sndbuf);
+	sndbuf = 0;
+	if (getsockopt(sock, SOL_SOCKET, SO_SNDBUF, &sndbuf, &optlen) < 0 ||
+	    ioctl(sock, SIOCOUTQ, &outq) < 0 ||
+	    sndbuf <= 0 || outq < 0)
+		return 0;
+	return outq > sndbuf / 2;
+#else /* __linux__ */
+	return 0;
+#endif /* __linux__ */
+}
+
+
+static void wpas_ctrl_msg_send_pending_global(struct wpa_global *global)
+{
+	struct ctrl_iface_global_priv *gpriv;
+	struct ctrl_iface_msg *msg;
+
+	gpriv = global->ctrl_iface;
+	while (gpriv && !dl_list_empty(&gpriv->msg_queue) &&
+	       !wpas_ctrl_iface_throttle(gpriv->sock)) {
+		msg = dl_list_first(&gpriv->msg_queue, struct ctrl_iface_msg,
+				    list);
+		if (!msg)
+			break;
+		dl_list_del(&msg->list);
+		wpa_supplicant_ctrl_iface_send(
+			msg->wpa_s,
+			msg->type != WPA_MSG_PER_INTERFACE ?
+			NULL : msg->wpa_s->ifname,
+			gpriv->sock, &gpriv->ctrl_dst, msg->level,
+			msg->txt, msg->len, NULL, gpriv);
+		os_free(msg);
+	}
+}
+
+
+static void wpas_ctrl_msg_send_pending_iface(struct wpa_supplicant *wpa_s)
+{
+	struct ctrl_iface_priv *priv;
+	struct ctrl_iface_msg *msg;
+
+	priv = wpa_s->ctrl_iface;
+	while (priv && !dl_list_empty(&priv->msg_queue) &&
+	       !wpas_ctrl_iface_throttle(priv->sock)) {
+		msg = dl_list_first(&priv->msg_queue, struct ctrl_iface_msg,
+				    list);
+		if (!msg)
+			break;
+		dl_list_del(&msg->list);
+		wpa_supplicant_ctrl_iface_send(wpa_s, NULL, priv->sock,
+					       &priv->ctrl_dst, msg->level,
+					       msg->txt, msg->len, priv, NULL);
+		os_free(msg);
+	}
+}
+
+
+static void wpas_ctrl_msg_queue_timeout(void *eloop_ctx, void *timeout_ctx)
+{
+	struct wpa_supplicant *wpa_s = eloop_ctx;
+	struct ctrl_iface_priv *priv;
+	struct ctrl_iface_global_priv *gpriv;
+	int sock = -1, gsock = -1;
+
+	wpas_ctrl_msg_send_pending_global(wpa_s->global);
+	wpas_ctrl_msg_send_pending_iface(wpa_s);
+
+	priv = wpa_s->ctrl_iface;
+	if (priv && !dl_list_empty(&priv->msg_queue))
+		sock = priv->sock;
+
+	gpriv = wpa_s->global->ctrl_iface;
+	if (gpriv && !dl_list_empty(&gpriv->msg_queue))
+		gsock = gpriv->sock;
+
+	if (sock > -1 || gsock > -1) {
+		/* Continue pending message transmission from a timeout */
+		wpa_printf(MSG_MSGDUMP,
+			   "CTRL: Had to throttle pending event message transmission for (sock %d gsock %d)",
+			   sock, gsock);
+		eloop_register_timeout(0, 20000, wpas_ctrl_msg_queue_timeout,
+				       wpa_s, NULL);
+	}
+}
+
+
+static void wpas_ctrl_msg_queue(struct dl_list *queue,
+				struct wpa_supplicant *wpa_s, int level,
+				enum wpa_msg_type type,
+				const char *txt, size_t len)
+{
+	struct ctrl_iface_msg *msg;
+
+	msg = os_zalloc(sizeof(*msg) + len);
+	if (!msg)
+		return;
+
+	msg->wpa_s = wpa_s;
+	msg->level = level;
+	msg->type = type;
+	os_memcpy(msg + 1, txt, len);
+	msg->txt = (const char *) (msg + 1);
+	msg->len = len;
+	dl_list_add_tail(queue, &msg->list);
+	eloop_cancel_timeout(wpas_ctrl_msg_queue_timeout, wpa_s, NULL);
+	eloop_register_timeout(0, 0, wpas_ctrl_msg_queue_timeout, wpa_s, NULL);
+}
+
+
+static void wpas_ctrl_msg_queue_limit(unsigned int throttle_count,
+				      struct dl_list *queue)
+{
+	struct ctrl_iface_msg *msg;
+
+	if (throttle_count < 2000)
+		return;
+
+	msg = dl_list_first(queue, struct ctrl_iface_msg, list);
+	if (msg) {
+		wpa_printf(MSG_DEBUG, "CTRL: Dropped oldest pending message");
+		dl_list_del(&msg->list);
+		os_free(msg);
+	}
+}
+
+
 static void wpa_supplicant_ctrl_iface_msg_cb(void *ctx, int level,
 					     enum wpa_msg_type type,
 					     const char *txt, size_t len)
 {
 	struct wpa_supplicant *wpa_s = ctx;
+	struct ctrl_iface_priv *priv;
+	struct ctrl_iface_global_priv *gpriv;
 
 	if (wpa_s == NULL)
 		return;
 
-	if (type != WPA_MSG_NO_GLOBAL && wpa_s->global->ctrl_iface) {
-		struct ctrl_iface_global_priv *priv = wpa_s->global->ctrl_iface;
-		if (!dl_list_empty(&priv->ctrl_dst)) {
+	gpriv = wpa_s->global->ctrl_iface;
+
+	if (type != WPA_MSG_NO_GLOBAL && gpriv &&
+	    !dl_list_empty(&gpriv->ctrl_dst)) {
+		if (!dl_list_empty(&gpriv->msg_queue) ||
+		    wpas_ctrl_iface_throttle(gpriv->sock)) {
+			if (gpriv->throttle_count == 0) {
+				wpa_printf(MSG_MSGDUMP,
+					   "CTRL: Had to throttle global event message for sock %d",
+					   gpriv->sock);
+			}
+			gpriv->throttle_count++;
+			wpas_ctrl_msg_queue_limit(gpriv->throttle_count,
+						  &gpriv->msg_queue);
+			wpas_ctrl_msg_queue(&gpriv->msg_queue, wpa_s, level,
+					    type, txt, len);
+		} else {
+			if (gpriv->throttle_count) {
+				wpa_printf(MSG_MSGDUMP,
+					   "CTRL: Had to throttle %u global event message(s) for sock %d",
+					   gpriv->throttle_count, gpriv->sock);
+			}
+			gpriv->throttle_count = 0;
 			wpa_supplicant_ctrl_iface_send(
 				wpa_s,
 				type != WPA_MSG_PER_INTERFACE ?
 				NULL : wpa_s->ifname,
-				priv->sock, &priv->ctrl_dst, level, txt, len,
-				NULL, priv);
+				gpriv->sock, &gpriv->ctrl_dst, level,
+				txt, len, NULL, gpriv);
 		}
 	}
 
-	if (type == WPA_MSG_ONLY_GLOBAL || wpa_s->ctrl_iface == NULL)
-		return;
-	wpa_supplicant_ctrl_iface_send(wpa_s, NULL, wpa_s->ctrl_iface->sock,
-				       &wpa_s->ctrl_iface->ctrl_dst,
-				       level, txt, len, wpa_s->ctrl_iface,
-				       NULL);
+	priv = wpa_s->ctrl_iface;
+
+	if (type != WPA_MSG_ONLY_GLOBAL && priv) {
+		if (!dl_list_empty(&priv->msg_queue) ||
+		    wpas_ctrl_iface_throttle(priv->sock)) {
+			if (priv->throttle_count == 0) {
+				wpa_printf(MSG_MSGDUMP,
+					   "CTRL: Had to throttle event message for sock %d",
+					   priv->sock);
+			}
+			priv->throttle_count++;
+			wpas_ctrl_msg_queue_limit(priv->throttle_count,
+						  &priv->msg_queue);
+			wpas_ctrl_msg_queue(&priv->msg_queue, wpa_s, level,
+					    type, txt, len);
+		} else {
+			if (priv->throttle_count) {
+				wpa_printf(MSG_MSGDUMP,
+					   "CTRL: Had to throttle %u event message(s) for sock %d",
+					   priv->throttle_count, priv->sock);
+			}
+			priv->throttle_count = 0;
+			wpa_supplicant_ctrl_iface_send(wpa_s, NULL, priv->sock,
+						       &priv->ctrl_dst, level,
+						       txt, len, priv, NULL);
+		}
+	}
 }
 
 
@@ -546,6 +767,7 @@ wpa_supplicant_ctrl_iface_init(struct wpa_supplicant *wpa_s)
 	if (priv == NULL)
 		return NULL;
 	dl_list_init(&priv->ctrl_dst);
+	dl_list_init(&priv->msg_queue);
 	priv->wpa_s = wpa_s;
 	priv->sock = -1;
 
@@ -592,6 +814,8 @@ static int wpas_ctrl_iface_reinit(struct wpa_supplicant *wpa_s,
 void wpa_supplicant_ctrl_iface_deinit(struct ctrl_iface_priv *priv)
 {
 	struct wpa_ctrl_dst *dst, *prev;
+	struct ctrl_iface_msg *msg, *prev_msg;
+	struct ctrl_iface_global_priv *gpriv;
 
 	if (priv->sock > -1) {
 		char *fname;
@@ -647,6 +871,22 @@ free_dst:
 	dl_list_for_each_safe(dst, prev, &priv->ctrl_dst, struct wpa_ctrl_dst,
 			      list)
 		os_free(dst);
+	dl_list_for_each_safe(msg, prev_msg, &priv->msg_queue,
+			      struct ctrl_iface_msg, list) {
+		dl_list_del(&msg->list);
+		os_free(msg);
+	}
+	gpriv = priv->wpa_s->global->ctrl_iface;
+	if (gpriv) {
+		dl_list_for_each_safe(msg, prev_msg, &gpriv->msg_queue,
+				      struct ctrl_iface_msg, list) {
+			if (msg->wpa_s == priv->wpa_s) {
+				dl_list_del(&msg->list);
+				os_free(msg);
+			}
+		}
+	}
+	eloop_cancel_timeout(wpas_ctrl_msg_queue_timeout, priv->wpa_s, NULL);
 	os_free(priv);
 }
 
@@ -716,6 +956,7 @@ static void wpa_supplicant_ctrl_iface_send(struct wpa_supplicant *wpa_s,
 			      offsetof(struct sockaddr_un, sun_path));
 		msg.msg_name = (void *) &dst->addr;
 		msg.msg_namelen = dst->addrlen;
+		wpas_ctrl_sock_debug("ctrl_sock-sendmsg", sock, buf, len);
 		if (sendmsg(sock, &msg, MSG_DONTWAIT) >= 0) {
 			wpa_printf(MSG_MSGDUMP,
 				   "CTRL_IFACE monitor sent successfully to %s",
@@ -873,6 +1114,8 @@ static void wpa_supplicant_global_ctrl_iface_receive(int sock, void *eloop_ctx,
 	}
 
 	if (reply) {
+		wpas_ctrl_sock_debug("global_ctrl_sock-sendto",
+				     sock, reply, reply_len);
 		if (sendto(sock, reply, reply_len, 0, (struct sockaddr *) &from,
 			   fromlen) < 0) {
 			wpa_printf(MSG_DEBUG, "ctrl_iface sendto failed: %s",
@@ -1073,6 +1316,7 @@ wpa_supplicant_global_ctrl_iface_init(struct wpa_global *global)
 	if (priv == NULL)
 		return NULL;
 	dl_list_init(&priv->ctrl_dst);
+	dl_list_init(&priv->msg_queue);
 	priv->global = global;
 	priv->sock = -1;
 
@@ -1122,6 +1366,7 @@ void
 wpa_supplicant_global_ctrl_iface_deinit(struct ctrl_iface_global_priv *priv)
 {
 	struct wpa_ctrl_dst *dst, *prev;
+	struct ctrl_iface_msg *msg, *prev_msg;
 
 	if (priv->sock >= 0) {
 		eloop_unregister_read_sock(priv->sock);
@@ -1132,5 +1377,10 @@ wpa_supplicant_global_ctrl_iface_deinit(struct ctrl_iface_global_priv *priv)
 	dl_list_for_each_safe(dst, prev, &priv->ctrl_dst, struct wpa_ctrl_dst,
 			      list)
 		os_free(dst);
+	dl_list_for_each_safe(msg, prev_msg, &priv->msg_queue,
+			      struct ctrl_iface_msg, list) {
+		dl_list_del(&msg->list);
+		os_free(msg);
+	}
 	os_free(priv);
 }