| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Bug: 117508900
Change-Id: I4889513c0671ff2b689f1beca8084d6f149d473d
Test: Existing tests pass
(cherry picked from commit 29d54b87f121c79d5df87b0b2bcd7a1eb6090c1f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ieee802_11_rx_wnmsleep_req() might be called for a short frame that has
no more payload after the Public Action field, i.e., with len == 0. The
bounds checking for the payload length was done only for the information
elements while the one octet Dialog Token field was read
unconditionally. This could result in reading one octet beyond the end
of the received frame data.
Depending on driver interface specific mechanism used for fetching the
frame, this could result in reading one octet beyond the end of a
stack/hash buffer or reading an uninitialized octet from within a
buffer. The actual value that was read as the Dialog Token field is not
used since the function returns immediately after having read this value
when there is no information elements following the field.
This issue was initially added in commit d32d94dbf47a ("WNM: Add
WNM-Sleep Mode implementation for AP") (with CONFIG_IEEE80211V=y build
option) and it remained in place during number of cleanup and fix
changes in this area and renaming of the build parameter to
CONFIG_WNM=y. The impacted function was not included in any default
build without one of the these optional build options being explicitly
enabled. CONFIG_WNM=y is still documented as "experimental and not
complete implementation" in hostapd/defconfig. In addition, commit
114f2830d2c2 ("WNM: Ignore WNM-Sleep Mode Request in wnm_sleep_mode=0
case") made this function exit before the impact read if WNM-Sleep Mode
support was not explicitly enabled in runtime configuration
(wnm_sleep_mode=1 in hostapd.conf).
Fix this by explicitly checking the frame has enough payload before
reading the Dialog Token field.
Bug: 111893132
Change-Id: I4b61e22c39d1a5683923eff34e43bb0c509913d4
Merged-In: I4b61e22c39d1a5683923eff34e43bb0c509913d4
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
(cherry picked from commit 7a543744db8ece2376b019040b5668ede68ebd8b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of setting the default PMK length for the cleared PMK, set the
length to 0 and explicitly check for this when deriving PTK to avoid
unexpected key derivation with an all-zeroes key should it be possible
to somehow trigger PTK derivation to happen before PMK derivation.
[backport to 11.0: Added PMA_LEN_MAX manually instead of picking
the dependency]
Change-Id: Ia0fa2ff55c99fe3a2152092dc431f125f2d74033
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
| |
This makes it easier to understand the cases where PMK gets configured
based on information from upper layer call (e.g., a PSK).
Change-Id: I311cdcab329272dde2413405e43a5866c956b0f0
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, reinstallations of the PTK are prevented by (1) assuring the
same TPTK is only set once as the PTK, and (2) that one particular PTK
is only installed once. This patch makes it more explicit that point (1)
is required to prevent key reinstallations. At the same time, this patch
hardens wpa_supplicant such that future changes do not accidentally
break this property.
Change-Id: I0c998c0f6f77d00387d8472d75fdb1fa6335eaa4
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.
This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.
Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.
Change-Id: I7324fcaadd5ce5e3ee9500dce2cb1b52a043440c
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.
Change-Id: I372aab2ff1ecdd648f50772944595aced4ac1439
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not try to reconfigure the same TPK-TK to the driver after it has
been successfully configured. This is an explicit check to avoid issues
related to resetting the TX/RX packet number. There was already a check
for this for TPK M2 (retries of that message are ignored completely), so
that behavior does not get modified.
For TPK M3, the TPK-TK could have been reconfigured, but that was
followed by immediate teardown of the link due to an issue in updating
the STA entry. Furthermore, for TDLS with any real security (i.e.,
ignoring open/WEP), the TPK message exchange is protected on the AP path
and simple replay attacks are not feasible.
As an additional corner case, make sure the local nonce gets updated if
the peer uses a very unlikely "random nonce" of all zeros.
Change-Id: I899d293ebdf82363700c101b1c8640f15f1d26cc
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Authenticator state machine path for PTK rekeying ended up bypassing
the AUTHENTICATION2 state where a new ANonce is generated when going
directly to the PTKSTART state since there is no need to try to
determine the PMK again in such a case. This is far from ideal since the
new PTK would depend on a new nonce only from the supplicant.
Fix this by generating a new ANonce when moving to the PTKSTART state
for the purpose of starting new 4-way handshake to rekey PTK.
Change-Id: I77e8685f5da89f95aa806343c63bc7a4d6fdf6e8
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
| |
This extends the protection to track last configured GTK/IGTK value
separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
corner case where these two different mechanisms may get used when the
GTK/IGTK has changed and tracking a single value is not sufficient to
detect a possible key reconfiguration.
Change-Id: I81cafeafd193ece21c66dc185cb2c4a17c524e4c
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Track the current GTK and IGTK that is in use and when receiving a
(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
not install the given key if it is already in use. This prevents an
attacker from trying to trick the client into resetting or lowering the
sequence counter associated to the group key.
[backport to 11.0: Added WPA_IGTK_MAX_LEN manually instead of picking
the dependency]
Change-Id: If19fa9446d034723c889f42694be74dffe361167
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not reinstall TK to the driver during Reassociation Response frame
processing if the first attempt of setting the TK succeeded. This avoids
issues related to clearing the TX/RX PN that could result in reusing
same PN values for transmitted frames (e.g., due to CCM nonce reuse and
also hitting replay protection on the receiver) and accepting replayed
frames on RX side.
This issue was introduced by the commit
0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
authenticator') which allowed wpa_ft_install_ptk() to be called multiple
times with the same PTK. While the second configuration attempt is
needed with some drivers, it must be done only if the first attempt
failed.
Change-Id: I80ee0894e62ea7eec17ed3dffa5d0f390509a3f8
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
|
| |
|
|
|
|
|
| |
If there is no retrieved parameter, we should not de-reference null
Bug: 27748546
Change-Id: I8e6ceba26ab7d73ab365b72c0bfdcdb0a36a59a7
|
| |
|
|
|
|
|
|
| |
Spurious newlines output while writing the config file can
corrupt the wpa_supplicant configuration. Avoid writing these.
Bug: 27371366
Change-Id: I3bb99b8c46dba1c81cbccc76ed0cd01abc3ccef9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().
Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.
Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)
Change-Id: Ib8596c753a67b94f55bfae0a714208e775a08218
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
| |
WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
enabled. Verify that PMF is in use before using this field on station
side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
Change-Id: I85b218bcf930624638fef74f918ed78df9752386
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)
Change-Id: Ie5c25b7890abb1d62dcfe0ac14dbf277d321fc3d
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)
Change-Id: I84bd2c3993a88f87fba71854b37671411bc2a651
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)
Change-Id: Ifaa7c76bd0b27fc61f1e3e5b33eb14d281289dcb
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.
Change-Id: Id3bb2a36b7b0a040e81ec1f1064934047606259a
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Change-Id: I1501af3aefa3a9784704cbd8ec625f66b4bb5df5
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Change-Id: Iff93a6434df546f093eb192e999e82f999abb96e
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: I5688a52eb08bbfe11dd0b82c63e540c43091ca18
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: Id2bc93879b12ffcd94b1ecdc98fc6c5f730d7027
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: I8f1f9734f74124df51eba4f075f7b9bc14af1332
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.
This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).
Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: Ie9a6d41f2f7dea0010a24147257547fc6479b499
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
(cherry picked from commit fdb708a37d8f7f1483e3cd4e8ded974f53fedace)
Change-Id: Ibc53ff533f78cfcd7c51fbb5d5494b828f184cc8
|
| |
|
|
|
|
|
|
| |
In the mediatek platform the performance of p2p connections will
degrade significantly if different frequences are used for STA and
P2P.
Change-Id: I8bd7e4a3f10177c99d273eccb88c8590fcbe3d34
|
| |
|
|
|
|
| |
* ANDROID_P2P breaks hotspot on wl12xx devices
Change-Id: Ifd8caf40df49c1a3184e017a48d2bd81942f4268
|
| |
|
|
|
| |
Change-Id: I781ce5410bda14bc55719198e14c9ce36fa3b648
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a separate P2P group interface is used, PBC overlap during group
formation causes the group interface to be removed, which ends up with
the interface context becoming invalid. Fix this by scheduling a timeout
to process the PBC overlap and interface removal instead of removing the
interface directly before the connection operation has returned.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Git-commit: ace0fbdb69b492a3aa6f24d07f0d6d4dffc4b7dc
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: Iee452eb1ea731c7e216e0ec25a7c7235756589ac
CRs-fixed: 670339
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Verify that there is no extra data after the hash field. This is needed
to avoid potential attacks using additional data to construct a value
that passes the RSA operation and allows the hash value to be forged.
CRs-Fixed: 654804
Change-Id: Iee0a8de08fd0f7d66b3bfd0c4396637d9b70e92f
Git-commit: 9c29d48725fd40a82407a89f193cf009aeef9745
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A P2P Device while in the Listen state waiting to respond for the
obtained group negotiation request shall give a fair chance for other
concurrent sessions to use the shared radio by inducing an idle time
between the successive listen states. However, if there are no
concurrent operations, this idle time can be reduced.
CRs-Fixed: 606348
Git-commit: a2d63657603b8f0714274f34bea45cb5d0c0a7b9
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: Ifbc6b7687889055764ef462abb710ef9a6c580a8
|
| |
|
|
|
|
|
|
|
|
| |
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Change-Id: If46d6cfcb9d7fc9700965e818315e5aa50fa11a5
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Change-Id: I0005ed08e4b06ba3d2ebe95b9240050e47ed2e8c
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
| |
Change-Id: I579af1fa8c2f85622ffddb186ba799dcb9ac4b6f
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The scan result comparison routine would not make much sense without
current BSS level known, so return from the function without going
through the iteration that could have dereferenced the pointer if
wpa_s->current_bss == NULL.
CRs-Fixed: 684325
Change-Id: Ifb12fb53f5ca193e0d1c23c3115e3507108cbf00
Git-commit: 67adcd266c4ef3f9356190ef2c0727303f9532cb
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds few more debug prints to log the RSSI information from
the scanned BSSIDs and the current connected BSSID when comparing
neighbor results during WNM Transition Management Request processing.
CRs-Fixed: 684325
Change-Id: Id67bd7d898540d029ea7c67f992834dde140358f
Git-commit: 3c1060ff8fec3d5f8b14ccfd9b37ed6b682434e6
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Extend the previous commit 0f1034e3889e7b8f54ed59317f1234db8167d12e to
skip extended listen also based on ongoing provision discovery operation
(which does not show up as a separate P2P module state and as such, was
not coveraged by the previous commit).
CRs-Fixed: 661586
Git-commit: 7e68be38e46d8f6cc7d5bc8083fe470d0418fb4f
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: Icdf4aac5b4b7c5600459f07a680f1171f8191dd0
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not perform extended listen period operations when either a P2P
connection is in progress. This makes the connection more robust should
an extended listen timer trigger during such an operation.
CRs-Fixed: 661586
Git-commit: 0f1034e3889e7b8f54ed59317f1234db8167d12e
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: I1f51d34e956fa2d6529c15c6b6dcb6cea1b3de41
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 795baf773f6d53bae3cfae4df6edda63e5022344 ('hostapd: Filter
channel list updated events after country code change') uses the
EVENT_CHANNEL_LIST_CHANGED data pointer, but it updated only one of the
callers to provide that data. NL80211_CMD_REG_BEACON_HINT event was
still sending the event without the initiator data and resulted in NULL
pointer dereference, e.g., if a scan was run while hostapd was running
and the driver was in world roaming state and enabled a channel for
active scans.
CRs-Fixed: 662554
Git-commit: 8597ebdbd44dd4dfb680a17a1d71c183377a0223
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: I947dc781166a627c8f80b08d43c094fe34a49279
|
| |
|
|
|
|
|
|
|
| |
This is not present in wpa_supplicant_8_ti variant anymore.
Improves WiFi AP behaviour on wl12xx devices
This reverts commit 4d11042be9623f74660d930c7bcb82ae6e6fd4df.
Change-Id: I56da55fe63fb9417e142a19a7c3a9f3fad2f49a1
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Follow the PKCS #1 v1.5, 8.1 constraint of at least eight octets long PS
for the case where the internal TLS implementation decrypts PKCS #1
formatted data. Similar limit was already in place for signature
validation, but not for this decryption routine.
CRs-Fixed: 654804
Change-Id: I54f6d90ca931c55a8fa52f836bca891cae2250f2
Git-commit: 6c5be116dd6997f68e524247751cff53c74519d7
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Based on PKCS #1, v1.5, 10.1.3, the block type shall be 01 for a
signature. This avoids a potential attack vector for internal TLS/X.509
implementation.
CRs-Fixed: 654804
Change-Id: I1f3b4efb636828d27c06cfcbcb22a9af989bf164
Git-commit: e6d83cc7babb978ba53ae8686159b41ab0f448cc
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Verify that there is no extra data after the hash field. This is needed
to avoid potential attacks using additional data to construct a value
that passes the RSA operation and allows the hash value to be forged.
CRs-Fixed: 654804
Change-Id: Iee0a8de08fd0f7d66b3bfd0c4396637d9b70e92f
Git-commit: 9c29d48725fd40a82407a89f193cf009aeef9745
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a subelement is unexpectedly included multiple times, the parser must
not re-allocate memory for the entry without first freeing the old
allocation.
CRs-Fixed: 651033
Change-Id: Ib9dc7e0ba282546e29b32491db7da4a281cadf3c
Git-commit: e9cb7b9275951c1b7f70aba2d83fec91f4923f1b
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Only the Neighbor Report element should be included here, so verify that
the element id matches. In addition, verify that each subelement has
valid length before using the data.
CRs-Fixed: 651033
Change-Id: I7179f4ab62f62864d13ef011dbf3a59156a2c7f1
Git-commit: 1aa6f953bb7b9093decc5817a2a7eaacf2eae61b
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
wnm_deallocate_memory() left wnm_num_neighbor_report set while freeing
the allocated buffer of neighbor reports. If this function was called
twice in a row without having went through new neighbor report parsing,
invalid pointers could have been freed resulted in segfault.
CRs-Fixed: 651033
Change-Id: If11be7c57365bedc65d3c5fe31f42aceec65c74a
Git-commit: ec331d09a29c6b0dd5c59123688cd55f6dcdc31a
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 41d5ce9e0b7b37dd84fbf3c1aa5ed571c32321d4 was intended to scan for
GO on the negotiated channel for few iterations, but it did not work
correctly due to incorrect operator being used. Fix this by requiring
both conditions to be met for the single channel scan.
CRs-Fixed: 661483
Git-commit: 28fa4eb2b2dd971321e49591aade07d56695cf3e
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: Ie1dcfb569b7fd08e0166812ec2506a3fea8fb309
|
| |
|
|
|
|
|
|
|
| |
Mainline the DSDS feature support on host side and also
enhance the proxy layer to support both single SIM and
multi SIM (DSDS) feature.
Change-Id: If8087763db7bfa18232ce526c783521dc1bb9cdd
CRs-Fixed: 631880
|
