| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was possible for the 32-bit record->total_length value to end up
wrapping around due to integer overflow if the longer form of payload
length field is used and record->payload_length gets a value close to
2^32. This could result in ndef_parse_record() accepting a too large
payload length value and the record type filter reading up to about 20
bytes beyond the end of the buffer and potentially killing the process.
This could also result in an attempt to allocate close to 2^32 bytes of
heap memory and if that were to succeed, a buffer read overflow of the
same length which would most likely result in the process termination.
In case of record->total_length ending up getting the value 0, there
would be no buffer read overflow, but record parsing would result in an
infinite loop in ndef_parse_records().
Any of these error cases could potentially be used for denial of service
attacks over NFC by using a malformed NDEF record on an NFC Tag or
sending them during NFC connection handover if the application providing
the NDEF message to hostapd/wpa_supplicant did no validation of the
received records. While such validation is likely done in the NFC stack
that needs to parse the NFC messages before further processing,
hostapd/wpa_supplicant better be prepared for any data being included
here.
Fix this by validating record->payload_length value in a way that
detects integer overflow. (CID 122668)
CYNGNOS-1299
Change-Id: Ib8596c753a67b94f55bfae0a714208e775a08218
Signed-off-by: Jouni Malinen <j@w1.fi>
(cherry picked from commit 9ec7ddc175aaf5941b161ecff6c86ad94356b47c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination.
CYNGNOS-1299
Change-Id: Ie5c25b7890abb1d62dcfe0ac14dbf277d321fc3d
Signed-off-by: Jouni Malinen <j@w1.fi>
(cherry picked from commit bac9fa8f61ff322bc3d33912c77e9f6d6ba5f4ad)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination.
CYNGNOS-1299
Change-Id: I84bd2c3993a88f87fba71854b37671411bc2a651
Signed-off-by: Jouni Malinen <j@w1.fi>
(cherry picked from commit c69b9d150fc53cd0f34279cb152ad946e93cc000)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received.
CYNGNOS-1299
Change-Id: Ifaa7c76bd0b27fc61f1e3e5b33eb14d281289dcb
Signed-off-by: Jouni Malinen <j@w1.fi>
(cherry picked from commit 6a51515fb0bd5da09e8865c2d9d33e4518437438)
|
| |\
| |
| |
| | |
git://codeaurora.org/platform/external/wpa_supplicant_8 into cm-12.1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
CRs-Fixed: 833592
Git-commit: e28a58be26184c2a23f80b410e0997ef1bd5d578
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: Ie9a9132eb25aa1748cbca10e7f3149d04d13d823
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
CRs-Fixed: 833592
Git-commit: 3035cc2894e08319b905bd6561e8bddc8c2db9fa
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: I458174b88195f09a712c775896e6efa8f2791bc0
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The cleanup code will handle this, but it is more robust to make sure
this is cleared to zero when allocating a new buffer.
CRs-Fixed: 833592
Git-commit: 6aa5d95dabe8a4cfd38d3cb661e0fde1c4f0e8e3
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: I32988456443d49f7e78557789f0ff1d03d73e4c1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.
CRs-Fixed: 833592
Git-commit: 28a069a545b06b99eb55ad53f63f2c99e65a98f6
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: I29254a57c259c492f061a62657981f36bee8ca59
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
CRs-Fixed: 833592
Git-commit: 477c74395acd0123340457ba6f15ab345d42016e
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: I9d55b2a7825c749c79f1b0ef73bd3b16516df834
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
CRs-Fixed: 833592
Git-commit: dd2f043c9c43d156494e33d7ce22db96e6ef42c7
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: I864c6514e9f7eaa5e75dfa542057ecc288bb7d07
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
CRs-Fixed: 833592
Git-commit: ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: I833b47fe9d46a71efa8bdefae1e9e75204382fec
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is no need to continue processing a HTTP body when it becomes
clear that the end result would be over the maximum length.
CRs-Fixed: 833592
Git-commit: 7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: Ifac8bfab3ab617f0682ed104a712947cafbcd147
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Verify that ncopy parameter to memcpy is not negative. While this is not
supposed to be needed, it is a good additional protection against
unknown implementation issues.
CRs-Fixed: 833592
Git-commit: af185d0b578fc447b1db0b42a03d8b2467decffd
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: Ia00919c23298912f0f927fb4b4a98747fc40e0ac
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.
This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).
Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
CRs-Fixed: 833592
Git-commit: 5acd23f4581da58683f3cf5e36cb71bbe4070bd7
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <j@w1.fi>
Change-Id: If3e801d43e47af6c3ff96b64eea769db35d8fffc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-repo: git://w1.fi/srv/git/hostap.git
Git-commit: 9ed4eee345f85e3025c33c6e20aa25696e341ccd
CRs-Fixed: 819135
Change-Id: Ieb7a14af9751a75cf3f209408e5c09c44f0d37db
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This code can't be built without linking to some proprietary libs
and headers. Split it off so a prebuilt can be distributed for
OSS builds
Ref: CYNGNOS-428
Change-Id: I430dda72e8cb156d86ef286244230bb3f511ca23
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.
This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).
Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: Ie9a6d41f2f7dea0010a24147257547fc6479b499
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: I8f1f9734f74124df51eba4f075f7b9bc14af1332
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.
Change-Id: Id3bb2a36b7b0a040e81ec1f1064934047606259a
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Change-Id: I1501af3aefa3a9784704cbd8ec625f66b4bb5df5
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.
In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.
Change-Id: Iff93a6434df546f093eb192e999e82f999abb96e
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: I5688a52eb08bbfe11dd0b82c63e540c43091ca18
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.
Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Change-Id: Id2bc93879b12ffcd94b1ecdc98fc6c5f730d7027
Signed-off-by: Jouni Malinen <j@w1.fi>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.
This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.
Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
(cherry picked from commit fdb708a37d8f7f1483e3cd4e8ded974f53fedace)
Change-Id: Ibc53ff533f78cfcd7c51fbb5d5494b828f184cc8
|
| |/
|
|
|
|
|
|
| |
In the mediatek platform the performance of p2p connections will
degrade significantly if different frequences are used for STA and
P2P.
Change-Id: I8bd7e4a3f10177c99d273eccb88c8590fcbe3d34
|
| |\
| |
| |
| |
| |
| |
| |
| |
| | |
"AU_LINUX_ANDROID_LA.BF64.1.2.1_RB2.05.00.02.081.002"
Conflicts:
src/utils/http_curl.c
Change-Id: I31aaf07069a70607c3d0486f505dc89f4062225b
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Android 5.1.0 release 1
Conflicts:
src/common/qca-vendor.h
src/drivers/driver_nl80211.c
src/drivers/nl80211_copy.h
src/p2p/p2p_go_neg.c
src/rsn_supp/tdls.c
wpa_supplicant/config.c
wpa_supplicant/config.h
wpa_supplicant/config_file.c
wpa_supplicant/config_ssid.h
wpa_supplicant/wpa_supplicant.c
wpa_supplicant/wps_supplicant.c
Change-Id: Ib77f68a7e9ee05e6e3b2b255ecf829d5b2f397cd
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Suppose there are two APs (AP1 & AP2) and user attempted to connect to
AP2 before the previous connection with AP1 could succeed. Now, if the
connection event comes for the older AP with failed status, we should
just ignore it as the wpa_supplicant state has moved to "ASSOCIATING"
with the new AP (AP2).
This is a similar to the case where a disconnection event is ignored for
a case where local disconnect request can cause the extra event to show
up during the next association process following that command.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
Signed-off-by: vandwalle <vandwalle@google.com>
|
| | | |\
| | | |
| | | |
| | | |
| | | | |
* commit '658fb4adb9458c3055c64a43833f1a9e89b4db74':
Work around AP misbehavior on EAPOL-Key descriptor version
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It looks like some APs are incorrectly selecting descriptor version 3
(AES-128-CMAC) for EAPOL-Key frames when version 2 (HMAC-SHA1) was
expected to be used. This is likely triggered by an attempt to negotiate
PMF with SHA1-based AKM.
Since AES-128-CMAC is considered stronger than HMAC-SHA1, allow the
incorrect, but stronger, option to be used in these cases to avoid
interoperability issues with deployed APs.
This issue shows up with "WPA: CCMP is used, but EAPOL-Key descriptor
version (3) is not 2" in debug log. With the new workaround, this issue
is ignored and "WPA: Interoperability workaround: allow incorrect
(should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor
version to be used" is written to the log.
Bug: 18411110
Change-Id: I9ae12e8882adc9e785f6e4cef9f30b89bf72dcd2
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
724fce8 Change version information for the 2.3 release
5cb1440 Update ChangeLog files for v2.3
2b28ef6 browser-wpadebug: Use more robust mechanism for starting browser
3d8a3ff browser-android: Use more robust mechanism for starting browser
17dc39a browser-system: Use more robust mechanism for starting browser
4a274f4 DFS: Allow 80+80 MHz be configured for VHT
Change-Id: I5562ac22e5bf8a55d0f7f8944ca0d9c8ebd8d13f
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
d5fe4e6 Reserve QCA vendor specific nl80211 commands 34..49
a256506 AES: Extend key wrap implementation to support longer data
eefec1e AES: Extend key wrap design to support longer AES keys
98a1571 OpenSSL: Clean up one part from the BoringSSL patch
a857296 Support building with BoringSSL
1236eda Android: Remove ctrl_interface=wlan0 from config template
9ffd512 Android: Set pmf=1 to default template
45d8501 Fix out of bounds memory access when removing vendor elements
a61fcc1 Clean up authenticator PMKSA cache implementation
cb129db Clear PMKSA cache entry data when freeing them
8c8d26a Remove unnecessary PMKSA cache freeing step
9c82990 Fix authenticator OKC fetch from PMKSA cache to avoid infinite loop
47ea24c Fix PMKSA cache timeout from Session-Timeout in WPA/WPA2 cases
dc152f3 wpa_supplicant: Enable HT for IBSS
4ec6837 wpa_supplicant: Use hostapd_freq_params in assoc_params
43f02e6 wpa_ctrl: Update wpa_ctrl_recv() documentation for non-block behavior
1274ec2 dbus: Add an interface configuration entry to set the WPS methods
3e0272c nl80211: Re-read MAC address on RTM_NEWLINK
5dfbd72 nl80211: Add get_bss_ifindex() helper
f1a6131 P2P: Use only the -m config for P2P management device
08d7665 TDLS: Use WMM IE for propagating peer WMM capability
17729b0 TDLS: Fix concurrent setup test for mac80211 drivers
984dadc TDLS: Set the initiator during tdls_mgmt operations
01cb5df Sync with wireless-testing.git include/uapi/linux/nl80211.h
ca3c6b4 nl80211: Fix compatibility with older version of libnl
d76426c TDLS: Filter AID value properly for VHT peers
Change-Id: Ia2156628a590c502d9111de2727da642ff435d9a
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
|
| | | |\|
| | | |
| | | |
| | | |
| | | | |
* commit '772e12cfed81754a9fd890be7bc77bc602a549b5':
Cumulative security CVE-2014-3686 patch
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
a313d17 Extend random MAC address support to allow OUI to be kept
1cbdb9d Add helper function for generating random MAC addresses with same OUI
97ed9a0 nl80211: Remove bridge FDB entry upon sta_remove()
39323bc AP: hostapd_setup_bss() code clean-up
1595eb9 P2P: Add support for 60 GHz social channel
b6ebdfb Extend STATUS command with frequency information
375f4a3 hostapd: Avoid dead code with P2P not enabled
6a60488 dbus: Add a global property to set or unset WFD IEs
4bd7e16 wifi_display: Add a utility function to set WFD subelements from IEs
d417744 wifi_display: Add a utility function to get the sub-elements as IEs
a8833b8 util: Don't use "\e"
8c6f4a5 ap_config.c: fix typo for "capabilities"
6e252b0 WPS: Fix WPS-in-search check when STA_AUTOCONNECT is disabled
e5fdc05 P2P: Remove unecessary sanity check for global p2p
ee285df P2P: Flush services based on global p2p init and not p2p ifaces
7139cf4 P2P: Decrement sd_pending_bcast_queries when sd returns success
dbdc9a1 nl80211: Fix memory leak on start radar detection error path
ed8e005 hostap: nl80211 use nl80211_put_freq_params
c267753 Add support for using random local MAC address
4d8fb63 Add helper function for generating random MAC addresses
fee354c nl80211: Add command for changing local MAC address
e49cabc P2P: Set timeout when starting GO Negotiation from Probe Req RX
7549c17 P2P: Clear pending_listen_freq when starting GO Neg/Invite
b497a21 nl80211: Ignore auth/assoc events when testing driver-SME
79e2b1c Add PMKSA_FLUSH ctrl_iface command
55c2bfa wpa_cli: Support action scripts with global ctrl_iface
063f850 wpa_cli: Increase event buffer size to 4096 bytes
fa0e917 wpa_cli: Fix PING in interactive mode with ifname_prefix
c53a9bf Check for driver's DFS offload capability before handling DFS
068e387 STA: Update scan results for ap_scan=1 skip-selection case also
7a4a93b dbus: Add SignalPoll() method to report current signal properties
a6ab82d Android: Add NO_EVENTS parameter to status command
df2508d P2P: Check os_get_random() return value more consistently
54461f3 RADIUS server: Remove unreachable code
e4474c1 FT: Fix hostapd with driver-based SME to authorize the STA
0800f9e nl80211: Add roaming policy update using QCA vendor command
0ef023e Add support for driver command to update roaming policy
0cd9846 nl80211: Print debug info on STA flag changes
17e2091 P2P: Fix radio work issue with wait-for-peer GO Negotiation
76db5b6 Work around broken AP PMKSA caching implementation
b08d5fa WPS: Set EAPOL workarounds dynamically based on association
8511a0f WPS: Extend internal entropy pool help for key/snonce derivation
abc0553 Remove WPA_EVENT_SCAN_STARTED message from MSG_INFO log
c45dabb P2P: Deauth p2p client just after dbus notify
3ee1856 nl80211: Register eloop after hs20 action frame
3bd3257 dbus: add BSS Age property to indicate last-seen time
5c61d21 openssl: Fix memory leak in openssl ec deinit
10e7948 Fix hostapd GET_CONFIG wpa_pairwise_cipher value
3a413e0 RADIUS client: Check getsockname() return value
9c196f7 HTTP: Fix OCSP status check
cb5ef95 SME: Verify that os_get_random() succeeds for SA Query
c9cd78e RADIUS server: Fix IPv6 radiusAuthClientAddress mask
5e62cfd P2P: Verify that os_get_random() succeeds
6473e80 EAP-PAX server: Add explicit CID length limit
6a6566c Remove unnecessarily shadowed local variable
df756b3 hostapd: Remove unused variable assignment
e47abdb TDLS: Decline Setup Request with status code 37 if BSSID does not match
ce2002a TDLS: Add RSN and Timeout interval IEs in TDLS Discovery Response frame
1c2aa04 P2P: Do not add P2P IEs on P2P disabled interface
f2e9083 nl80211: Add more RTM_NEWLINK/DELLINK debug messages
728ff2f nl80211: Fix RTM_DELLINK processing for bridge events
e5a4b85 WPS: Merge mixed-WPA/WPA2 credentials if received in same session
db9418b Add printf NULL checks to silence static analyzer
4e53675 P2P: Overwrite pending interface only after verifying BSS entry
04a258e hostapd: Check that EVENT_ASSOC data is present before using it
1cc0d6a wpa_supplicant: Use freq_list scan filtar in sched_scan
Change-Id: Ibc18f6761b3ccfe8fb4479f26f53e70942068bc8
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: I95c16cad335338cc06f64ea021c5814627256c07
Git-commit: bd7bb43784c5baa3d9220c88f3f51d18023a183b
Git-repo: git://w1.fi/srv/git/hostap.git
CRs-Fixed: 799051
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After os_malloc and pointer assignment making sure that the
pointers are not dereferencing NULL
Change-Id: I585fa3b434e548f1c624cbc844774c5cbae12e5d
CRs-Fixed: 797025
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Framework sends an event GET_SIM_INFO to get the sim card
information such as type of the SIM (2G/3G) and No. of SIMs
supported by the build.
Based on this, the framework will decide which sim supports
what type of EAP methods (SIM/AKA)
msg format: no_of_sims=x sim1=a sim2=b
Change-Id: I32ed7d3a719da2e222a49f8a100046f32028c8e9
CRs-Fixed: 775948
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.
Signed-off-by: Jouni Malinen <j@w1.fi>
Git-repo: git://w1.fi/srv/git/hostap.git
Git-commit: 394b54732ec9586f96aa91423a2da55806b0adec
CRs-Fixed: 786617
Change-Id: I0b0b7e001bcc78a6a3a347b6c23ba38d76a78c58
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Even when hs20 action frame is unable to be registered,
for whatever reason, it should be possible to register
event handle for received driver messages. This patch also
avoids a segmentation fault, when p2p and hs20 were enabled
and GO NEG was unable to create p2p iface, the destroy eloop
was crashing by reading an invalid handle.
CRs-fixed: 787173
Git-commit: 3ee18569f5d181ba01981d9bcbc60243f7ac1c7a
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
Change-Id: I7c3c95e92a9aee44ee973791bdb3b17112d68bd4
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Suppose there are two APs (AP1 & AP2) and user attempted to connect to
AP2 before the previous connection with AP1 could succeed. Now, if the
connection event comes for the older AP with failed status, we should
just ignore it as the wpa_supplicant state has moved to "ASSOCIATING"
with the new AP (AP2).
This is a similar to the case where a disconnection event is ignored for
a case where local disconnect request can cause the extra event to show
up during the next association process following that command.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
Git-commit: 0d4e3d1d13b2fd28128f10bc7f455034bc1bbcbb
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: If3190b21e0430f181ef342fabf63cd9090fa59b7
CRs-fixed: 771294
|
| |\ \ \ \ |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Commit ac330cfd87397a1a01e697984f3944f427e88dad ('P2P: Reinvite with
social operation channel if no common channels') introduced a mechamisn
to reinvite a peer during a persistent group reinvocation from a GO with
a different operating channel proposal. This mechanism can fail if the
inviting device (GO) ends up getting a retransmitted, duplicated
Invitation Response frame processed second time while waiting for the
response to the retried Invitation Request (using one of the social
channels as the operating channel). IEEE 802.11 duplicate frame
detection mechanisms are supposed to prevent this type of sequence, but
not all drivers support those rules properly for pre-association frames,
including P2P Public Action frames.
Work around this issue by checking that the dialog token in the
Invitation Response frame matches the one from the last Invitation
Request if the special invitation retry mechanism is used. This is safer
to do now than to enable dialog token matching for all invitation cases.
CRs-fixed: 768932
Git-commit: 36b5c3335ad512061d2b39af03bb7e3508209951
Git-repo : git://w1.fi/srv/git/hostap.git
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change-Id: I131608ccc18597ecf1579e994c41026ec5fd2742
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Convert the driver flags variable to u64 since there was no room for
more flags.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Conflicts:
src/drivers/driver.h
src/drivers/driver_nl80211.c
Git-commit: 24bd4e0be56ef0371a71f4749808a44b3aeffe16
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: Ic4cc033fcc3eea368e32f230f37be96b713d1316
CRs-fixed: 752061
|
| | |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Using QCA vendor command, allow ACS function to be offloaded to the
driver. Once channels are selected, hostapd is notified to perform OBSS
operation
Conflicts:
src/ap/ap_drv_ops.c
src/common/qca-vendor.h
src/drivers/driver.h
src/drivers/driver_common.c
src/drivers/driver_nl80211.c
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-commit: 16689c7cfc99c66aecbf16eb2f4a8bc941cb5d0f
Git-repo : git://w1.fi/srv/git/hostap.git
Change-Id: Ib36cdc5b267901ba3e3cc373d722f9fdc5ff50bb
CRs-fixed: 752061
|
