From 0fbcc4cde5f93d092d62366ef9615b3edb8fa5f6 Mon Sep 17 00:00:00 2001 From: Ben Fennema Date: Fri, 8 Apr 2016 16:00:34 -0700 Subject: DO NOT MERGE ANYWHERE Fix max number of sched scan SSIDs based on driver capability Bug: 26700796 Change-Id: I00a780ff01cc2c1f05da5bce1893ea6ea397c086 Signed-off-by: Ben Fennema --- wpa_supplicant/scan.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c index e81465c5..1fc4b27a 100644 --- a/wpa_supplicant/scan.c +++ b/wpa_supplicant/scan.c @@ -2259,10 +2259,18 @@ int wpas_start_pno(struct wpa_supplicant *wpa_s) size_t i, num_ssid, num_match_ssid; struct wpa_ssid *ssid; struct wpa_driver_scan_params params; + unsigned int max_sched_scan_ssids; if (!wpa_s->sched_scan_supported) return -1; + if (wpa_s->max_sched_scan_ssids > WPAS_MAX_SCAN_SSIDS) + max_sched_scan_ssids = WPAS_MAX_SCAN_SSIDS; + else + max_sched_scan_ssids = wpa_s->max_sched_scan_ssids; + if (max_sched_scan_ssids < 1) + return -1; + if (wpa_s->pno || wpa_s->pno_sched_pending) return 0; @@ -2306,10 +2314,10 @@ int wpas_start_pno(struct wpa_supplicant *wpa_s) num_ssid++; } - if (num_ssid > WPAS_MAX_SCAN_SSIDS) { + if (num_ssid > max_sched_scan_ssids) { wpa_printf(MSG_DEBUG, "PNO: Use only the first %u SSIDs from " - "%u", WPAS_MAX_SCAN_SSIDS, (unsigned int) num_ssid); - num_ssid = WPAS_MAX_SCAN_SSIDS; + "%u", max_sched_scan_ssids, (unsigned int) num_ssid); + num_ssid = max_sched_scan_ssids; } if (num_match_ssid > wpa_s->max_match_sets) { -- cgit v1.2.3 From d6cd7d7f4dd46af125c09ef3ca37f11426b27302 Mon Sep 17 00:00:00 2001 From: "Kanchanapally, Vidyullatha" Date: Fri, 20 May 2016 14:41:55 +0530 Subject: nl80211: Register for only for specific Action frames in AP mode [DO NOT MERGE] This makes changes such that hostapd (and wpa_supplicant AP mode) registers to kernel for specific Action frames instead of generically registering for all Action frames. This makes it easier for other programs to register for some Action frames that hostapd does not handle today without having to somehow coordinate directly with hostapd. Signed-off-by: Jouni Malinen BUG: 28973012 Change-Id: I05e5ea4b1176d5f0f4b7b9da2d322885c9c8a17c --- src/drivers/driver_nl80211.c | 52 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index 798e6947..08945bd9 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -2050,6 +2050,49 @@ static int nl80211_register_spurious_class3(struct i802_bss *bss) } +static int nl80211_action_subscribe_ap(struct i802_bss *bss) +{ + int ret = 0; + + /* Public Action frames */ + if (nl80211_register_action_frame(bss, (u8 *) "\x04", 1) < 0) + ret = -1; + /* RRM Measurement Report */ + if (nl80211_register_action_frame(bss, (u8 *) "\x05\x01", 2) < 0) + ret = -1; + /* RRM Neighbor Report Request */ + if (nl80211_register_action_frame(bss, (u8 *) "\x05\x04", 2) < 0) + ret = -1; + /* FT Action frames */ + if (nl80211_register_action_frame(bss, (u8 *) "\x06", 1) < 0) + ret = -1; +#ifdef CONFIG_IEEE80211W + /* SA Query */ + if (nl80211_register_action_frame(bss, (u8 *) "\x08", 1) < 0) + ret = -1; +#endif /* CONFIG_IEEE80211W */ + /* Protected Dual of Public Action */ + if (nl80211_register_action_frame(bss, (u8 *) "\x09", 1) < 0) + ret = -1; + /* WNM */ + if (nl80211_register_action_frame(bss, (u8 *) "\x0a", 1) < 0) + ret = -1; + /* WMM */ + if (nl80211_register_action_frame(bss, (u8 *) "\x11", 1) < 0) + ret = -1; +#ifdef CONFIG_FST + /* FST Action frames */ + if (nl80211_register_action_frame(bss, (u8 *) "\x12", 1) < 0) + ret = -1; +#endif /* CONFIG_FST */ + /* Vendor-specific */ + if (nl80211_register_action_frame(bss, (u8 *) "\x7f", 1) < 0) + ret = -1; + + return ret; +} + + static int nl80211_mgmt_subscribe_ap(struct i802_bss *bss) { static const int stypes[] = { @@ -2058,7 +2101,6 @@ static int nl80211_mgmt_subscribe_ap(struct i802_bss *bss) WLAN_FC_STYPE_REASSOC_REQ, WLAN_FC_STYPE_DISASSOC, WLAN_FC_STYPE_DEAUTH, - WLAN_FC_STYPE_ACTION, WLAN_FC_STYPE_PROBE_REQ, /* Beacon doesn't work as mac80211 doesn't currently allow * it, but it wouldn't really be the right thing anyway as @@ -2083,6 +2125,9 @@ static int nl80211_mgmt_subscribe_ap(struct i802_bss *bss) } } + if (nl80211_action_subscribe_ap(bss)) + goto out_err; + if (nl80211_register_spurious_class3(bss)) goto out_err; @@ -2105,10 +2150,7 @@ static int nl80211_mgmt_subscribe_ap_dev_sme(struct i802_bss *bss) wpa_printf(MSG_DEBUG, "nl80211: Subscribe to mgmt frames with AP " "handle %p (device SME)", bss->nl_mgmt); - if (nl80211_register_frame(bss, bss->nl_mgmt, - (WLAN_FC_TYPE_MGMT << 2) | - (WLAN_FC_STYPE_ACTION << 4), - NULL, 0) < 0) + if (nl80211_action_subscribe_ap(bss)) goto out_err; nl80211_mgmt_handle_register_eloop(bss); -- cgit v1.2.3 From 748cf248afe1d09a4c6973615343fd1192084ea3 Mon Sep 17 00:00:00 2001 From: Paul Stewart Date: Fri, 10 Jun 2016 08:29:55 -0700 Subject: Fix use-after-free in qca_nl80211_get_features Any data accessible from nla_data is freed before the send_and_recv_msgs function returns, therefore we need to allocate space for info.flags ourselves. BUG=29237626 Change-Id: I622d1c624cce785ca7ed76f5c0ea8c5011c9be45 --- src/drivers/driver_nl80211_capa.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c index 14a93a05..004d88e3 100644 --- a/src/drivers/driver_nl80211_capa.c +++ b/src/drivers/driver_nl80211_capa.c @@ -820,8 +820,12 @@ static int features_info_handler(struct nl_msg *msg, void *arg) attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_FEATURE_FLAGS]; if (attr) { - info->flags = nla_data(attr); - info->flags_len = nla_len(attr); + int len = nla_len(attr); + info->flags = os_malloc(len); + if (info->flags != NULL) { + os_memcpy(info->flags, nla_data(attr), len); + info->flags_len = len; + } } attr = tb_vendor[QCA_WLAN_VENDOR_ATTR_CONCURRENCY_CAPA]; if (attr) @@ -884,6 +888,7 @@ static void qca_nl80211_get_features(struct wpa_driver_nl80211_data *drv) if (check_feature(QCA_WLAN_VENDOR_FEATURE_OFFCHANNEL_SIMULTANEOUS, &info)) drv->capa.flags |= WPA_DRIVER_FLAGS_OFFCHANNEL_SIMULTANEOUS; + os_free(info.flags); } #endif /* CONFIG_DRIVER_NL80211_QCA */ -- cgit v1.2.3 From e382b88ddec8ed658cb462a6a49ec54e0d0e564c Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Wed, 29 Jun 2016 15:37:57 -0700 Subject: DO NOT MERGE Dont exceed scan ssid max size advertised by driver Currently |wpa_set_scan_ssids| fully exhausts |wpa_driver_scan_params.ssid| list when hidden network ID's are provided via the control interface. This results in us exceeding the max size for the list advertised by the driver when we add the "wildcard" scan ssid entry. So, ensure that we leave space for one more scan ssid entry in the list when we exit out of |wpa_set_scan_ssids|. BUG: 29502964 Change-Id: If2cdd11951a7855e73d8bb7b6f8cae504931fa56 Signed-off-by: Roshan Pius --- wpa_supplicant/scan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c index 7a528262..7f42607d 100644 --- a/wpa_supplicant/scan.c +++ b/wpa_supplicant/scan.c @@ -575,6 +575,11 @@ static void wpa_set_scan_ssids(struct wpa_supplicant *wpa_s, { unsigned int i; struct wpa_ssid *ssid; + /* + * For devices with |max_ssids| greater than 1, leave the last slot empty + * for adding the wildcard scan entry. + */ + max_ssids = (max_ssids == 1) ? max_ssids : max_ssids - 1; for (i = 0; i < wpa_s->scan_id_count; i++) { unsigned int j; -- cgit v1.2.3