upmerge hostap 2.11 #66

mld_id config is not used anymore. Remove its use from test cases. Signed-off-by: Aditya Kumar Singh <[email protected]>

MLD level information like MLD MAC address, next link ID, etc. was stored in each BSS. However, only the first link BSS assigns values to these members and the other link BSSs store references to the first BSS. However, if the first BSS is disabled, the first BSS reference in all BSS should be updated which is an overhead. Also, this does not seem to scale. Instead, a separate MLD level structure can be maintained which can store all this ML related information. All affiliated link BSSs can keep reference to this MLD structure. This commit adds that MLD level structure. However, assigning values to it and using that instead of BSS level members will be done in subsequent commits. Signed-off-by: Aditya Kumar Singh <[email protected]>

MLD level structure is present to store the MLD level information. Add changes to use the MLD structure instead of link specific struct hostapd_data to get/set the MLD level information. Signed-off-by: Aditya Kumar Singh <[email protected]>

Link ID was assigned when BSS is going through setup and the driver interface init. Later if interface is disabled and enabled again, setup BSS is called which will give a new link ID to it. However, Link ID should be same for a BSS affliated to an AP MLD for the full lifetime of the BSS. Hence, assign the link ID during BSS creation itself. And it will remain until BSS entry is completely freed. Hence, link ID will not change as part of disable/enable. Also, since link ID would be decided now, it will help in creating link level control sockets in a subsequent patch. Signed-off-by: Aditya Kumar Singh <[email protected]>

Currently, whenever a new BSS is created, if it is an EHT BSS it is tied to a corresponding MLD structure. If the structure does not exist already, a new one is created and tied to it. Accordingly, the link ID is assigned as well. However, when the BSS is deleted, the MLD structure is not freed and when it is again created the next time, the link ID is incremented further and the BSS gets a wrong link ID. For example, 2.4 GHz single link AP MLD case: First ADD, link ID 0 would be assigned and MLD interface wlan0 would be created. When REMOVE is issued, the BSS would be deleted but MLD wlan0 will not. When ADD is issued again, the BSS will tie back to MLD wlan0 but this time the link ID will be incremented again and 1 would be assigned. Hence, at subsequent REMOVE/ADD, the link ID keeps on incrementing. Since the link ID remains same for the full lifetime of the BSS and MLD, the next link ID counter cannot be just reset back to 0 when a BSS is deleted. Otherwise, in interleaved link enable/disable case, the link ID would be changed. To overcome this situation, whenever a BSS is deleted, if the MLD is not referenced by any other existing BSS, delete the MLD structure itself. To know how many BSSs are referring a given MLD, introduce a new member refcount in MLD. If the value is 0 it is safe to delete the MLD. Signed-off-by: Aditya Kumar Singh <[email protected]>

Cache the corresponding hostapd_data struct context into the link entry within the driver wrapper. This will be useful for driver events callback processing. Signed-off-by: Aditya Kumar Singh <[email protected]>

This call was added within a conditional CONFIG_IEEE80211AX block even though this can apply without that build option. Move this outside that conditional block. Fixes: b3921db ("nl80211: Add frequency info in start AP command") Signed-off-by: Jouni Malinen <[email protected]>

wpa_driver_nl80211_set_ap() called nl80211_put_freq_params() twice if AP is an AP MLD. It called once while putting the MLO link ID and the other time in the normal flow if frequency info is present. Doing this twice is not required. Call put_freq once during the normal flow only and separately of that, add the link ID for AP MLD. Signed-off-by: Aditya Kumar Singh <[email protected]>

nl80211_remove_links() iterated over all active links in the given BSS and removed all of them. However, at times it is required to remove only one link and not all links. Add a helper function nl80211_remove_link() which will remove just the given link_id from the passed BSS. nl80211_remove_links() will use this and will call this for each of the active links to be removed. Signed-off-by: Aditya Kumar Singh <[email protected]>

Construct the nl80211 remove link command using the per-BSS approach instead of per-driver (drv->first_bss). Signed-off-by: Aditya Kumar Singh <[email protected]>

When the interface was removed, the added links were not removed. While removing the interface, kernel has removed the stale links but hostapd has not. This is wrong since hostapd should remove and do the clean ups properly while removing the interface. Hence, remove the links when interface is removed. Signed-off-by: Aditya Kumar Singh <[email protected]>

Previously, whenever if_remove() was called, the whole interface was deleted. In an AP MLD, all partner BSS use the same driver private context and hence removing the interface when only one of the links goes down should be avoided. Add a helper function to remove a link first whenever if_remove() is called. Later while handling it, if the number of active links goes to 0, if_remove() would be called to clean up the interface. This helper function will be used later when co-hosted AP MLD support is added and as well later during ML reconfiguration support. Signed-off-by: Aditya Kumar Singh <[email protected]>

If one or more BSS from the interface is partnering with BSSs from another interface and if this interface gets disabled, the Beacon frames need to be refreshed for other interfaces. Similar thing should happen when it gets enabled. Add logic to refresh other interface Beacon frames when one of the interfaces is disabled or enabled. Signed-off-by: Aditya Kumar Singh <[email protected]>

Previously, hostapd directly advertised the MLD capabilities received from the driver. Since this information is exchanged during initialization time only, the driver will advertise the maximum supported values. hostapd should parse it and then based on the current situation fill the values accordingly. For example, the maximum number of simultaneous links is supposed to be a value between 0 and 14, which is the number of affiliated APs minus 1. The driver advertises this value as 5 and hostapd, irrespective of the current active links, puts 5 in the frames. Fix this by parsing the value from the driver capabilities and then using the values as per the current situation of the links. The advertised values will be used as the upper limit. Signed-off-by: Aditya Kumar Singh <[email protected]>

Signed-off-by: Aditya Kumar Singh <[email protected]>

When the first link BSS of an interface was de-initialized/disabled, the whole MLD was brought down. All other links were stopped beaconing and links were removed. And if the non-first link BSS was de-initialized/disabled, nothing happened. Even beaconing was not stopped which is wrong. Fix this by properly bringing down the intended link alone from the interface. Signed-off-by: Aditya Kumar Singh <[email protected]>

This functionality can be shared with other files as well. Signed-off-by: Aditya Kumar Singh <[email protected]>

Signed-off-by: Aditya Kumar Singh <[email protected]>

Whenever ap_free_sta() was called, it deleted the whole station entry from the kernel as well. However, with MLD stations, there is a requirement to delete only the link station. Add support to remove the link station alone from an MLD station. If the link going to be removed is the association link, the whole station entry will be removed. Signed-off-by: Aditya Kumar Singh <[email protected]>

The first link BSS was always disabled last. However, now the first BSS can be dynamically adjusted. Hence, remove such restriction. Signed-off-by: Aditya Kumar Singh <[email protected]>

The OpenSSL 3.0 (or newer) version of omac1_aes_vector() did not free the EVP_MAC. This resulted in a memory leak that shows up in a bit strange way in valgrind reports and because of that, was not caught during automated testing. Fixes: 0c61f62 ("OpenSSL: Implement CMAC using the EVP_MAC API") Signed-off-by: Jouni Malinen <[email protected]>

This test could have failed if scan results from a previously executed test case were still the in the driver cache. Signed-off-by: Jouni Malinen <[email protected]>

Try to find the BSS entry that contains the most likely current information for the target BSS. This is mainly needed to avoid some unusual behavior with APs changing their Beacon frame information in a manner that shows up in automated testing, but this might help with some more dynamic real world uses as well, so better do the BSS entry search for the newest entry. Signed-off-by: Jouni Malinen <[email protected]>

This reverts commit bffd2b3. Revert this commit to fix a regression when setting up P2P Group Owner on some old device. Signed-off-by: Jouni Malinen <[email protected]>

These can cause unexpected test failures, so dump the pending monitor socket events more frequently in some cases where event throttling is seen. Signed-off-by: Jouni Malinen <[email protected]>

Add a new attribute QCA_WLAN_VENDOR_ATTR_AVOID_FREQUENCY_IFINDEX for QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY_EXT subcommand to apply rules for avoid frequencies on a specific netdev. This is a 32-bit unsigned optional attribute. Signed-off-by: Purushottam Kushwaha <[email protected]>

Add affiliated link addresses for non-AP MLDs in the STA* control interface commands. Signed-off-by: Chenming Huang <[email protected]>

Add the Extended Capabilities element for a non-TX BSS into the non-TX BSSID profile subelement in the Multiple BSSID element if the non-TX BSS has different extended capabilities than the TX BSS. Signed-off-by: Jouni Malinen <[email protected]>

Verify that the Extended Capabilities element for the TX BSS shows beacon protection disabled and the Extended Capabilities element for the non-TX BSS (within the Multiple BSSID element) shows it enabled. Signed-off-by: Jouni Malinen <[email protected]>

PTKSA cache API is included in libpasn.so used by external modules, e.g., Wi-Fi Aware. To avoid dependency on CONFIG_PTKSA_CACHE define for the external modules at compile time, remove PTKSA cache static inline functions from the header file and add wrapper function stubs. Signed-off-by: Jouni Malinen <[email protected]>

PMKSA cache API is included in libpasn.so used by external modules, e.g., Wi-Fi Aware. To avoid dependency on IEEE8021X_EAPOL define for the external modules at compile time, remove PMKSA cache static inline functions from the header file and add wrapper function stubs. Signed-off-by: Jouni Malinen <[email protected]>

Modules that use libpasn for PASN authentication need the context of PASN data. PASN data is a common context for the library and the modules using it. Hence, initialize the context through init and deinit functions. Also use set and get functions to update the parameters. Signed-off-by: Jouni Malinen <[email protected]>

In AP MLD case, HT scan results need to be handled in the link that triggered this scan. So find the link that has a valid scan_cb to handle EVENT_SCAN_RESULTS. Signed-off-by: Chenming Huang <[email protected]>

If the driver provides an identifying cookie value for scan operations, use that to select which link processes the scan result. This is needed for OBSS scans that can be required in different links if operating as an AP MLD. Distinguish the scans using scan_cookie for QCA vendor scan events. Signed-off-by: Chenming Huang <[email protected]>

OBSS scan can be required in different links if operating as an AP MLD. When triggering scan, specify the link ID for the driver to find the correct link to scan. Signed-off-by: Chenming Huang <[email protected]>

The AP MLD case missed the "else" branch which handles legacy STA's disassociation. So this STA's sta_info will not be cleared ever. Add the "else" check to make sure the sta_info gets cleared. Fixes: 7ceafb6 ("AP MLD: Handle disassociation notification with SME offload to driver") Signed-off-by: Chenming Huang <[email protected]>

Link ID is more accurate to specify the BSS for a radar event in some corner cases, e.g., when there is a radar detection event and the driver then switches to another DFS channel. There will then be two events coming from the driver (CAC start and channel switch complete). In case the CAC-start event comes first, hostapd still stores the previous frequency and cannot find the correct link by calling nl80211_get_mld_link_by_freq() with the new frequency. Signed-off-by: Chenming Huang <[email protected]>

When one link is still under CAC or disabled, peer links should not carry the information of this link in the RNR elements. With this change, the RNR element will be included only if a peer link is in HAPD_IFACE_ENABLED state. Signed-off-by: Chenming Huang <[email protected]>

Add a new flag radar_detected which is used in the following cases when setting up a link on a DFS channel while the interface is not yet enabled: 1. DFS link received CAC start event 2. If no radar detected, link setup succeeeds after CAC end event is received. Else go to 3. 3. Radar detected on this link -> set radar_detected bit 4. CAC end received for the current freq -> Do not setup interface as radar already detected. Clear radar_detected bit. 5. The driver sends channel switch event to switch to another channel a. Switch to another DFS channel -> go to 1 b. Switch to non-DFS channel -> proceed to set up interface Or when receiving a CAC start event when the interface is already set up: 1. DFS link already set up successfully 2. Radar detected on this link -> set radar_detected bit a. Switch to DFS channel a.1. CAC start -> clear radar_detected bit and partner RNR a.2. If radar detected, go to 2. a.3. CAC end -> clear radar_detected bit a.4. Link enabled successfully b. Switch to non-DFS channel b.1 No op and the driver handles this Signed-off-by: Chenming Huang <[email protected]>

When we are configuring automatic channel selection, we are not able to switch to a given DFS channel because when we are trying to move to a DFS channel, the interface is disabled and enabled again. When the interface is disabled and enabled we are setting iface's freq and channel to 0 in setup_interface2() in case ACS is enabled, and now we don't know to which channel we were trying to move. Now ACS will run and the interface will be up in the channel that is suitable. To fix this issue add a flag named is_ch_switch_dfs to check if the channel switch request is for a DFS channel and we can use this in setup_interface2() to decide whther we have to set iface's freq and channel to 0 or not. This way iface's freq and channel will retain the values while channel switching to a DFS channel when ACS is enabled. Signed-off-by: Rajat Soni <[email protected]>

The DTIM information in the per-STA profile is set incorrectly. The DTIM period is set in the LSB octet of the DTIM Info subfield (2 octets), which is intended for the DTIM count. Fix this by setting the DTIM period and DTIM count information properly to the MSB and LSB octets of the DTIM Info subfield, respectively. Signed-off-by: Karthikeyan Kathirvel <[email protected]> Signed-off-by: Govindaraj Saminathan <[email protected]>

RRM link measurement request/report management frames are used to get the radio link information between the connected stations. Add new hostapd_cli command req_link_measurement to send an RRM link measurement request to an associated station. Add support to handle the link measurement report in hostapd. RRM link measurement support can be enabled with the following new configuration parameter: rrm_link_measurement_report=1 Signed-off-by: Raj Kumar Bhagat <[email protected]> Signed-off-by: Yuvarani V <[email protected]>

Otherwise it will point at the ifindex of the just removed BSS. Signed-off-by: Felix Fietkau <[email protected]>

This fixes a crash when disabling an interface during channel list update. Signed-off-by: Felix Fietkau <[email protected]>

This fixes a segmentation fault on STA disconnect in case IPv6 addresses where learned for the STA based on snooped neighbor solicication. Fixes: bd00c43 ("AP: Add Neighbor Discovery snooping mechanism for Proxy ARP") Signed-off-by: Felix Fietkau <[email protected]>

This removes an unnecessary dependency and also makes the code smaller. Signed-off-by: Felix Fietkau <[email protected]>

If authentication fails repeatedly, e.g., because of a weak signal, the link can end up in blocked state. If one of the nodes tries to establish a link again before it is unblocked on the other side, it will block the link to that other side. The same happens on the other side when it unblocks the link. In that scenario, the link never recovers on its own. To fix this, allow restarting authentication even if the link is in blocked state, but don't initiate the attempt until the blocked period is over. This reverts commit 09d96de ("mesh: Drop Authentication frames from BLOCKED STA"). Signed-off-by: Felix Fietkau <[email protected]>

This feature is useful on its own even without full interworking support. Signed-off-by: Felix Fietkau <[email protected]>

This fixes issues with full-MAC drivers like brcmfmac. Signed-off-by: Felix Fietkau <[email protected]>

If the build path is long, the contents of the _DIRS variable can be very long, since it repeats the same directories very often. In some cases, this has triggered an "Argument list too long" build error. Reported-by: Robert Marko <[email protected]> Suggested-by: Eneas U de Queiroz <[email protected]> Signed-off-by: Felix Fietkau <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

Add support for additional (vendor) elements to be added to only Probe Response frames, for testing. Signed-off-by: Johannes Berg <[email protected]>

Add a few tests to validate what happens with connections while an AP is doing CSA: - quiet to diff channel (shouldn't connect) - quiet to same channel (shouldn't connect) - non-quiet to diff channel (shouldn't connect) - non-quiet to same channel (should connect) Signed-off-by: Johannes Berg <[email protected]>

Add a test behaving like an Asus RT-AC53 with firmware 3.0.0.4.380_10760-g21a5898, which (in some cases?) can have an ECSA element stuck in the probe response, when the channel switch is long finished. Signed-off-by: Johannes Berg <[email protected]>

for_each_mld_link() macro used three nested for loops. Since now the affliated links are linked together via a linked list, the logic can be improved by using dl_list_for_each() macro instead which uses one for loop. Modify for_each_mld_link() macro to use dl_list_for_each() instead. Signed-off-by: Aditya Kumar Singh <[email protected]>

Function nl80211_link_add() created the link add netlink message on drv basis which in turn always uses the drv's first BSS. To support link add for various other interfaces, use the per-BSS function to create the netlink message. Signed-off-by: Aditya Kumar Singh <[email protected]>

Signed-off-by: Aditya Kumar Singh <[email protected]>

i802_sta_deauth() already has the link_id passed to it in its arguments. Use that to pass it down to send MLME handler as well. Signed-off-by: Aditya Kumar Singh <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

At least some of the previous versions have expired, so need to re-sign these to avoid EAP test case failures. This contains updates from running tests/hwsim/auth_server/update.sh. Signed-off-by: Jouni Malinen <[email protected]>

These have not yet expired, but it is easier to get in sync with all certificate updates. Signed-off-by: Jouni Malinen <[email protected]>

…odes Add a feature flag to indicate driver support for TWT responder for AP operating in HT and VHT modes. Signed-off-by: Manaswini Paluri<[email protected]>

Add support for TWT responder for AP operating in HT and VHT modes by introducing a new configuration parameter ht_vht_twt_responder. When this is enabled, TWT responder mode support in HT and VHT modes is enabled if the driver supports this and is disabled otherwise. Signed-off-by: Manaswini Paluri<[email protected]>

Add a QCA vendor command for registering NL80211_CMD_GET_STATION response as a unicast event when there is a NL80211_CMD_GET_STATION request from any userspace module. The driver will send the unicast events with the same netlink port ID which is used by userspace application for sending the registration command. If multiple registration commands are received with different netlink port IDs, the driver will send unicast event with each netlink port ID separately. Userspace application can deregister the unicast events with disable configuration. The registrations will be removed automatically by the driver when the corresponding netlink socket is closed. This will help avoid multiple NL80211_CMD_GET_STATION requests from different userspace applications in short span. The userspace application which registers for the unicast event can avoid sending NL80211_CMD_GET_STATION request again if the response is available with a recently received unicast event. Signed-off-by: Veerendranath Jakkam <[email protected]>

Introduce an attribute QCA_WLAN_VENDOR_ATTR_CONFIG_KEEP_ALIVE_INTERVAL in QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION to configure station's keep-alive interval to the driver/firmware. This can be used to resolve kickout issues from APs which kick out STAs before the BSS maximum idle period expires. Signed-off-by: Jouni Malinen <[email protected]>

…tlink The changes in nl80211 to get rid of the libnl3-route dependency are not sufficient to fully remove the depency from other parts of the code. Revert the makefile related changes from that commit to avoid build issues for cases where CONFIG_FULL_DYNAMIC_VLAN=y and CONFIG_VLAN_NETLINK=y are used without CONFIG_DRIVER_MACSEC_LINUX=y pulling in the needed library. Fixes: a210fdb ("nl80211: Rewrite neigh code to not depend on libnl3-route") Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

Include the condition in #else similarly to #endif. Signed-off-by: Jouni Malinen <[email protected]>

The nl80211 driver interface function mlme_event_mgmt_tx_status(), filled in link_id only if the frame was the last transmitted on the whole drv (driver) level. With co-hosted MLDs, there could be cases where multiple frames are sent out by various interfaces (BSS) under the same drv. Now while handling the TX status, only one interface will get the proper link_id. Rest will get -1 and the event will be routed to the first BSS always. If the frame was not sent from the first BSS this leads to possibility of the frame getting dropped. Hence to make the underlying link identification easier, modify authentication and association frames to be always sent with the link address as A1 and A3 for ease of TX status handling. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

This became unused, so remove the argument from this function, all its callers, and from places that became unused with these changes. Signed-off-by: Jouni Malinen <[email protected]>

Authenticator state machine ML info was set only when it was created. However, if the association is tried again, the state machine will already exist and hence the ML info will not be refreshed. This leads to an issue where if in the subsequent association request, the MLD info is different than the old info, validation of it will fail. Fix this issue by refreshing the authenticator state machine's ML info every time association request is handled. Signed-off-by: Aditya Kumar Singh <[email protected]>

AP MLD was added with an assumption of only a single BSS per link in the hostapd configuration. This needs to be extended when a cohosted ML BSS exist in the same configuration. Extend the support for cohosted BSSs. This is required for MBSSID MLO support as well. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Modify necessary helper functions to support multiple BSS support for MLO to make the changes scalable. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

The get_hapd_bssid() function matched the given BSSID in all BSSs of its own interface. However with MLO, there is requirement to check its own partner BSS at least. Compare the BSS's link partners as well and if the specified link ID matches the link ID of the partner, return the BSS. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Pass ctx in mlme_event_mgmt(). This will help in routing the event properly to the link BSS. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Management frame TX status events were handled on drv's first BSS only. However, to support multiple MLDs there is requirement to handle this on a given BSS. Use the passed BSS instead of always going with drv's first BSS. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Control port TX status events were handled on drv's first BSS only. However, to support multiple MLDs there is requirement to handle this on a given BSS. Use the passed BSS instead of always going with drv's first BSS. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

hostapd_eapol_tx_status() function is used only in drv_callbacks.c. However, it is defined in ieee802_11.c which is not really the correct place for it. Hence, move the function into drv_callbacks.c and make it static. No functionality changes. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Add link ID support into EAPOL TX status handler so that the events can be routed to the appropriate link BSSs. Check each BSS's other partner link BSS STA list as well in hostapd_find_by_sta() to support this. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Add link ID support into EAPOL RX handler so that the events can be routed to the appropriate link BSSs. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Whenever there is a beacon update for any one of the affiliated link, all the other partner links' beacon should be refreshed. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

All links were iterated over during processing ML info in Association Request frame. However, the association link info will not be present in the ML info and hence the following debug print is observed during ML association (assoc link is 1): MLD: No link match for link_id=1 Skip processing for the association link to avoid this. Signed-off-by: Aditya Kumar Singh <[email protected]>

Add required ML specific members in struct wpa_authenticator and struct wpa_state_machine to maintain self and partner link information. Maintain state machine object in all associated link stations and destroy/remove references from the same whenever link stations are getting removed. Increase the wpa_group object reference count for all links in which ML station is getting associated and release the same whenever link stations are getting removed. Signed-off-by: Rameshkumar Sundaram <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Make the code more readable by using a define for the PN length to avoid potential confusion of this 6 octet length with the MAC address length. In addition, Use ETH_ALEN more consistently for the latter. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Rameshkumar Sundaram <[email protected]> Co-developed-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

This makes it easier to extend the design for MLO group rekeying. Signed-off-by: Rameshkumar Sundaram <[email protected]> Co-developed-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Calculate links specific MLO GTK/IGTK/BIGTK KDE lengths based on corresponding cipher and key instead of taking length of one link and multiplying it by no of associated links. This is needed since the group ciphers might be different between the affiliated links. Signed-off-by: Rameshkumar Sundaram <[email protected]> Co-developed-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Group rekeying was not supported for ML stations when non-association link initiates a group rekey. Support this by arming the group key rekey timer on one of the affiliated links and whenever this timer fires, rekey group keys on all the affiliated links. Signed-off-by: Rameshkumar Sundaram <[email protected]> Co-developed-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

This is needed for MLO group rekeying. Signed-off-by: Rameshkumar Sundaram <[email protected]> Co-developed-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Adil Saeed Musthafa <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Whenever a BSS was set up,hostapd flushed all stations via the flush() driver operation which maps to NL80211_CMD_DEL_STATION in the nl80211 interface. However, in case of MLO, a station could have been connected to other links by the time this link is coming up. Since link ID was not passed to flush(), all those stations entries were also removed in the driver which is wrong. Include the link ID along with the command in AP MLD so that the driver can use this link ID and flush only the stations that use the passed link ID as one of their links. Signed-off-by: Aditya Kumar Singh <[email protected]>

Include link ID and partner link details in the STATUS command output for AP MLDs. The details would be seen as below for an AP MLD interface: $ hostapd_cli -i wlan0 status | grep link num_links=1 link_id=0 link_addr=AA:BB:CC:DD:EE:FF $ hostapd_cli -i wlan1 status | grep link num_links=2 link_id=0 link_addr=AA:BB:CC:DD:EE:FF partner_link[1]=AA:BB:CC:DD:EE:AA Signed-off-by: Harshitha Prem <[email protected]> Co-developed-by: Manish Dharanenthiran <[email protected]> Signed-off-by: Manish Dharanenthiran <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

RNR formation for co-location or MLO did not work as expected. Fix this. For example, during co-location, if the BSS is also its ML partner there is no need to include a separate TBTT for it. Also, during co-location, if the BSS is not its partner but it is ML capable, the TBTT length should be 16 bytes and it should include the MLD Parameters for it in the RNR. During co-location, for a given Neighbor AP (operating on a given channel and op-class) if it has BSSs which are ML capable as well as BSSs which are not, there should be two Neighbor AP Info present: one indicating TBTT length as 13 bytes and one indicating TBTT info length as 16 bytes. Signed-off-by: Aditya Kumar Singh <[email protected]>

The functions that determine the length of the RNR information and that build the actual RNR need to use the same conditions for skipping BSSs. Use a shared helper function for this to avoid having to maintain two copies of the same implementation and the risking those getting out of sync. Signed-off-by: Jouni Malinen <[email protected]>

This is needed to avoid unexpected behavior if a previously executed test case has left a BSS entry with Interworking emabled into the case. Signed-off-by: Jouni Malinen <[email protected]>

wpa_s->connect_without_scan could have been left pointing to invalid network when a network profile was removed. It seems to be possible for this to happen in some hwsim test case scenarios under specific timing, but the exact reason for this is not clear. In any case, this pointer needs to be cleared. Signed-off-by: Jouni Malinen <[email protected]>

When a BSS is removed, the flow continues without actually waiting for the AP to be stopped. This is racy in flows that actually expect the AP to be stopped, e.g., test_ap_bss_add_remove(). Try to mitigate such cases by adding a short sleep after the AP is removed. Signed-off-by: Ilan Peer <[email protected]>

When considering to roam to a different BSS and the connection is an MLD connection, do not roam to a BSS which is already included in the MLD connection. Signed-off-by: Ilan Peer <[email protected]>

If parsing the basic ML element in the Authenticate frame fails, instead of only disassociating, completely deauthenticate so all state machines would be in a consistent state. Signed-off-by: Ilan Peer <[email protected]>

In case of failure handling an Authentication frame from the AP MLD, clear the MLD state only after the deauthentication is done. This allows deauthentication process to use the AP MLD MAC address. Signed-off-by: Ilan Peer <[email protected]>

When the authentication is an MLD authentication need to use the AP MLD MAC address when requesting the driver to deauthenticate. Signed-off-by: Ilan Peer <[email protected]>

If one sends a Probe Request frame to a non-TX BSSID, no AP MLD ID should be included in the request. Permit mld_id to be -1 so that it is not a required argument and can be left out. Signed-off-by: Benjamin Berg <[email protected]>

In case the channel map was updated to include the 6 GHz but these channels were not scanned yet, do not allow fast associate. Signed-off-by: Ilan Peer <[email protected]>

D-Bus expects "persistent" to be a bool (0/1) and crashes otherwise. Since persistent may also be 2 convert it to boolean. Signed-off-by: Andrei Otcheretianski <[email protected]> Signed-off-by: Benjamin Berg <[email protected]>

If the TX success response races with the RX frame then the state machine was simply move to P2P_SD_DURING_FIND to continue the operation. However, this does not take into account broadcast queries where the callback handler updates the peer's sd_pending_bcast_queries. Fix this by exporting the callback and calling it directly. This is fine, as the operation is cancelled immediately afterwards, ensuring that the callback is not called a second time. Signed-off-by: Benjamin Berg <[email protected]>

Hardcoded conversion for 5 GHz band was used, but this won't work for other cases. Set the correct center segment indexes in channel switch fallback for non-5GHz band. Signed-off-by: Jurijs Soloveckis <[email protected]>

…ripts Make the channel switch complete event, WPA_EVENT_CHANNEL_SWITCH, accessible to the action script. Signed-off-by: arun.jose <[email protected]>

When the RADIUS response included a Session-Timeout attribute, but is otherwise valid (an Access-Accept with a valid Tunnel-Password), the association still failed due to the strict comparison of the accepted value with HOSTAPD_ACL_ACCEPT. Apparently this combination wasn't previously tested. Extend this to allow a packet containing a valid Session-Timeout attribute to be accepted by extending the "success" comparison to include HOSTAPD_ACL_ACCEPT_TIMEOUT. Fixes: 1c3438f ("RADIUS ACL/PSK check during 4-way handshake") Signed-off-by: Lee Harding <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

Add QCA_ROAMING_MODE_AGGRESSIVE in enum qca_roaming_policy to set aggressive roaming mode. In addition, document the existing enum values. Signed-off-by: Jouni Malinen <[email protected]>

There is no need to store the AP MLD MAC address within per-supplicant data structure in struct wpa_state_machine since that MLD MAC address is available from the generic authenticator data in struct wpa_authenticator. Signed-off-by: Jouni Malinen <[email protected]>

There is no need to store the AP MLD's link MAC addresses within per-supplicant data structure in struct wpa_state_machine since those MAC addresses are available from the generic authenticator data in struct wpa_authenticator. Signed-off-by: Jouni Malinen <[email protected]>

There is no need to store the AP MLD's RSNE/RSNXE within per-supplicant data structure in struct wpa_state_machine since those elements are available from the generic authenticator data in struct wpa_authenticator. Signed-off-by: Jouni Malinen <[email protected]>

Previously, MLO Link KDE was added only for each link that was negotiated for the ML association. However, IEEE Std 802.11be/D5.0, 12.7.6.1 defines the MLO Link KDE to be included "for each affiliated AP" which is not constrained by what the non-AP MLD might have requested or what the negotiation outcome for this particular ML association is. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

This test case ended up dropping HT capability on channel switch which is now resulting in mac80211 disconnecting. Avoid this by leaving HT enabled. In addition, check the P2P Client events explicitly. Signed-off-by: Jouni Malinen <[email protected]>

Wait for both peers to be connected before checking MESH_LINK_PROBE behavior. Without this, it was possible for a MESH_LINK_PROBE command to be issues before the specific peer had been added and that would result in the nl80211 command failing. Signed-off-by: Jouni Malinen <[email protected]>

Add a new QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_AP_SUSPEND to allow suspend and resume the AP interface. When an AP is suspended, it disconnects all connected clients and stops all TX/RX operations on the AP interface. The driver retains the AP configuration and on resume, all AP operations are resumed with the same configuration. This subcommand is also used in the event path to notify userspace about AP suspended or resumed state changes. This uses attributes defined in enum qca_wlan_vendor_attr_ap_suspend. Signed-off-by: Purushottam Kushwaha <[email protected]>

If not set, 0 is set by default and this could fail in the following code path when link ID is not matching: hostapd_drv_set_ap -> wpa_driver_nl80211_set_ap -> nl80211_set_channel Signed-off-by: Chenming Huang <[email protected]>

There is a chance that the driver has switched the channel width so we should update the bandwidth, too, when receiving a channel switch event. Otherwise, this may cause out of sync for bandwidth between i802_link and hostapd_config. Signed-off-by: Chenming Huang <[email protected]>

Add nl80211 vendor commands and attributes for the collection of flow stats and classification. - QCA_NL80211_VENDOR_SUBCMD_FLOW_STATS - QCA_NL80211_VENDOR_SUBCMD_FLOW_CLASSIFY_RESULT - QCA_NL80211_VENDOR_SUBCMD_ASYNC_STATS_POLICY - QCA_NL80211_VENDOR_SUBCMD_CLASSIFIED_FLOW_REPORT Signed-off-by: Rakesh Pillai <[email protected]>

If a non-PSC 6 GHz channel with bandwidth higher than 20 MHz is configured, duplicate beacons/FD/UBPR will be transmitted in other 20 MHz channels of the current configured bandwidth to aid in faster scan. In such cases the duplicate FD needs to carry the Operating Class and Primary Channel subfields for non-AP STAs to identify the primary non-PSC. IEEE Std 802.11-2020, 9.6.7.36 (FILS Discovery frame format): "The Operating Class subfield specifies the operating class of the Primary Channel of the transmitting AP (see 9.4.1.36). The Primary Channel subfield is set to the channel number of the primary channel (see 11.15.2) if the FILS Discovery frame is transmitted as a non-HT duplicate PPDU; otherwise, the subfield is not present." Hence, add the Operating Class and Primary Channel subfields if the current channel is non-PSC and the channel bandwidth is 40 MHz or higher. Signed-off-by: Sriram R <[email protected]> Signed-off-by: Karthikeyan Kathirvel <[email protected]>

…nnels According to IEEE Std 802.11-2020, Operating classes Table E-2 (Europe) and Table E-6 (China) map channels in the range 149 to 161 to the global operating class 125, while Table E-1 (United States) maps these channels to global operating classes 125 and 124 as well. The global operating class 125 contains all channels from the global operating class 124 and some additional channels. Hence, to make the selection of the current operating class generic, use operating class 125 for all 20 MHz channels in the range 149 to 161. Signed-off-by: Amith A <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

This is needed to match the implementation change to map the 5 GHz channels 149-175 to the global operating class 125 instead of 124. Signed-off-by: Jouni Malinen <[email protected]>

When AP is beaconing only on the 6 GHz band and unsol_bcast_presp interval is set, AP sends unsolicited broadcast Probe Response frames for in-band discovery. hostapd sent the Probe Response template for this frame only when setting a new beacon. As a preparation for extending this functionality to other cases, move the generation of the unsolicited broadcast Probe Response template into a more generic function and data structure. Signed-off-by: Rathees Kumar R Chinannan <[email protected]>

When AP is beaconing only on the 6 GHz band and unsol_bcast_presp interval is set, AP sends unsolicited broadcast Probe Response frames for in-band discovery. hostapd sent the Probe Response template for this frame only when setting a new Beacon frame template. Extend this to update the Probe Response template during channel switch. Signed-off-by: Rathees Kumar R Chinannan <[email protected]>

When AP is beaconing only on the 6 GHz band and unsol_bcast_presp interval is set, AP sends unsolicited broadcast Probe Response frames for in-band discovery. hostapd sent the Probe Response template for this frame only when setting a new Beacon frame template. Extend this to update the Probe Response template during BSS color change. Signed-off-by: Rathees Kumar R Chinannan <[email protected]>

Add test cases to test basic cohosted MLDs functionality. Add helper functions to create the configuration file, start hostapd instance. Client connectivity test case will be added via a subsequent commit. eht_mld_cohosted_discovery: 2 co-hosted MLDs without non-MLD RNR. Basic bring up and beacon, MLD RNR, scan validation. eht_mld_cohosted_discovery_with_rnr: Same like eht_mld_cohosted_discovery but additionally non-MLD RNR (rnr=1) is also enabled. Validate the non-MLD RNR as well. Signed-off-by: Aditya Kumar Singh <[email protected]>

Add a test case 'eht_mld_cohosted_connectivity' which creates two 2 link AP MLDs and connect a 2 link MLD client to each one of them and test data traffic. Signed-off-by: Aditya Kumar Singh <[email protected]>

This is not used anymore after the previous AP MLD cleanup. Signed-off-by: Jouni Malinen <[email protected]>

Userspace can use QCA_WLAN_VENDOR_ATTR_CONFIG_REDUCED_POWER_SCAN_MODE to configure reduce power scan mode to the driver/firmware. Signed-off-by: Mukul Sharma <[email protected]>

Allocate static IPv4 address in EAPOL frames during 4-way handshake instead of DHCP when using P2P invitation. wpa_s->current_bss needs to be set for the P2P specific IP address assignment mechanism to be used in wpa_supplicant_rsn_supp_set_config(). This worked for the initial P2P connection, but not for some cases reinvoking a persistent group. Since there is only one AP (P2P GO) in the P2P client case, the conditions added in commit 4d3be9c ("Postpone updating of wpa_s->current_bss till association event") are not needed and the easiest approach for this is to allow current_bss to be set for p2p_in_invitation cases. If the GO P2P Interface Address (BSSID) could be determined for all the related cases, this could be addressed a bit more cleanly by setting the go_bssid argument for wpas_start_p2p_client(), but that can be left as a possible future step. Signed-off-by: tzu-meng wang <[email protected]>

Add uplink delay jitter attribute in responses of QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO vendor command. Signed-off-by: Veerendranath Jakkam <[email protected]>

Add kernel documentation to the attributes used in the vendor command QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION to configure the NSS and chains values used for transmitting and receiving the data. Signed-off-by: Jouni Malinen <[email protected]>

Add attributes to QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION vendor command to configure asymmetric TX/RX NSS and chains per band. Also document driver's response when existing attributes to configure TX/RX NSS and chains for all the bands 2.4 GHz and 5/6 GHz are used in the same command. Signed-off-by: Jouni Malinen <[email protected]>

Add support to get the number of TX/RX packets for each NSS value from the driver. Signed-off-by: Jouni Malinen <[email protected]>

Allow AP's behavior for BSS Max Idle Period management to be configured. Previously, this was automatically enabled for all CONFIG_WNM_AP=y builds. This can now be changed with the new hostapd configuration parameter bss_max_idle: 0 = BSS Max Idle Period management disabled 1 = BSS Max Idle Period management enabled (default and the previous behavior) 2 = BSS Max Idle Period management enabled with requirement for protected keep-alive frames Signed-off-by: Jouni Malinen <[email protected]>

Allow hostapd to be configured to not disconnect a STA if the STA fails to reply to a group key handshake when BSS max idle period management is used. This might be needed for some STAs that use aggressive power saving (e.g., battery powered IoT devices). This is disabled by default since this can delayed group rekeying slightly and also to maintain the previous behavior. The more relaxed operation can be enabled with the new configuration parameter no_disconnect_on_group_keyerror=1. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

Add a new wpa_supplicant network profile parameter max_idle that can be used to specify a specific maximum idle period in units of 1000 TUs (1.024 s) for associations. Signed-off-by: Jouni Malinen <[email protected]>

Add a new hostapd configuration parameter max_acceptable_idle_period to allow the AP to accept per-STA requested BSS max idle periods. Signed-off-by: Jouni Malinen <[email protected]>

This makes it a bit easier to test BSS max idle period management. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

Define new traffic type values for QCA_WLAN_VENDOR_ATTR_FLOW_STATS_TRAFFIC_TYPE attribute. Signed-off-by: Jouni Malinen <[email protected]>

Add following vendor attributes to dynamically configure parameters to detect data stall for consecutive TX no ack. - QCA_WLAN_VENDOR_ATTR_CONFIG_CONSECUTIVE_TX_NO_ACK_DURATION - QCA_WLAN_VENDOR_ATTR_CONFIG_CONSECUTIVE_TX_NO_ACK_THRESHOLD Signed-off-by: Jianmin Zhu <[email protected]>

Userspace tools can use QCA_WLAN_VENDOR_ATTR_CONFIG_IF_OFFLOAD_TYPE to configure the different below acceleration features (hardware, software) on a per interface basis. 0 - No acceleration Packets are processed through the Linux kernel networking stack. 1 - Software based acceleration: Packets are processed through the shortcut forwarding engine (SFE) to bypass the Linux networking stack for improved throughput performance. This option is applicable for AP, STA, and Mesh mode and available for all radio designs. From the performance aspect, this option consumes more CPU compared to the other two options. Linux traffic control can be further applied with this option to have more control on the traffic flows. 2 - Hybrid acceleration (software and hardware acceleration combined): Packets are processed through both hardware and software in this case. Packet classification is done by the hardware and then the packets are delivered to software along with classification results as meta data. Software can choose to do more classification/QoS based on use cases. This is applicable for AP, STA, and Mesh modes and is available for all radio designs. From the performance aspect, this option consumes relatively less CPU compared to the SFE option above. Linux traffic control rules cannot be applied with this option. 3 - Hardware based acceleration : Packets are processed through special hardware (Direct Switch) rings which can directly forward the packets between ethernet hardware and Wi-Fi hardware with very less software involvement. This is applicable only for AP and STA modes; not applicable for Mesh mode. From the performance aspect, this option consumes very much less CPU compared to the other options. Linux traffic control rules cannot be applied when this option is used. This option is applicable only for specific radio designs. When this option is not available, the default option (SFE) would be configured. Signed-off-by: Balamurugan Mahalingam <[email protected]>

Parse the Multiple BSSID element in Beacon frames and create and update all the nontransmitted BSSs. Signed-off-by: Jouni Malinen <[email protected]>

Currently, RADIUS client, auth server, and 802.1X are copied from the first link's BSS into the non-first link during its setup. However, there could be a case where the first link is not initialized fully because of ACS/HT40 SCAN/DFS. Hence, in such cases, NULL is getting copied and later it leads to segmentation fault. Initialize those on behalf of the first link in such case and update it so that the next time other non-first link can use it. Signed-off-by: Aditya Kumar Singh <[email protected]>

Currently, if ACS scan request fails, states are cleared and returned. However, in case of MLO, there is a possibilty of getting return value of -EBUSY. In this case, ACS can retry the scan request after some time similary to the HT40 scan. Hence, retry the scan after 5 seconds if -EBUSY is returned. Maximum of 15 re-attempts are made before giving up. Signed-off-by: Harshitha Prem <[email protected]> Co-developed-by: Aditya Kumar Singh <[email protected]> Signed-off-by: Aditya Kumar Singh <[email protected]>

Add hostapd_cli command "color_change <color>" to change BSS color at run time. hostapd_cli status can be used to check the updated color. Usage: hostapd_cli -i <interface> color_change <color> If 0 value is given, HE BSS color would be disabled. Same or a non-zero value between [1-63] can be given to enable color again. Signed-off-by: Aditya Kumar Singh <[email protected]>

Signed-off-by: Aditya Kumar Singh <[email protected]>

Once CCA is finished, Beacon frames need to be updated. The BCCA element needs to be removed and the new color value shall be advertised in the BSS Color Information field of the HE Operation element. Update the Beacon frames accordingly. Signed-off-by: Aditya Kumar Singh <[email protected]>

Send the link ID in the nl80211 command to switch color if the AP is affiliated with an AP MLD. Signed-off-by: Aditya Kumar Singh <[email protected]>

Add the he_bss_color_change test case which brings up an HE AP and performs color change operations and validates the result. Signed-off-by: Aditya Kumar Singh <[email protected]>

Add the eht_mlo_color_change test case to perform color change on the first link of an AP MLD. Performing on non-first link will be done later. Signed-off-by: Aditya Kumar Singh <[email protected]>

wpa_supplicant might use a wrong BSS entry with the SSID different from the current SSID of the current BSS while processing a roam event from the driver when wpa_supplicant has a stale BSS entry with the old SSID and the driver roams to the same BSS after it is restarted with a new SSID. To avoid this, update scan results from the driver when a BSS entry is not found with the current SSID and try to fetch the BSS entry again with the current SSID after this. Also, with this change wpa_supplicant_get_new_bss() itself will update the BSS table and search for the current BSS entry if it is not found in the BSS table. So, remove the BSS table update and search logic from the callers of wpa_supplicant_get_new_bss(). Signed-off-by: Veerendranath Jakkam <[email protected]>

Add support for SSID protection in 4-way handshake based on the mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against CVE-2023-52424 (a.k.a. the SSID Confusion Attack). This functionality is disabled by default and can be enabled with ssid_protection=1 in the network profile. Once there has been more testing of this to confirm there is no significant interoperability issues, the goal is to be able to change this to be enabled by default. Signed-off-by: Jouni Malinen <[email protected]>

Add support for SSID protection in 4-way handshake based on the mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against CVE-2023-52424 (a.k.a. the SSID Confusion Attack). This functionality is disabled by default and can be enabled with ssid_protection=1. Once there has been more testing of this to confirm there is no significant interoperability issues, the goal is to be able to change this to be enabled by default. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

The Link Id attribute is required for external ACS context to identify the link on which the command is received for an AP MLD. Signed-off-by: Diya Sati <[email protected]>

The Link Id attribute is required for QCA_NL80211_VENDOR_SUBCMD_PASN to identify the link on which the command is received for an MLD. Signed-off-by: Nidhi Jain <[email protected]>

The Link Id attribute is required for secure ranging context to identify the link on which the command is received for an MLD. Signed-off-by: Nidhi Jain <[email protected]>

Authentication rejection was found when doing fuzz testing even with a valid SAE commit message when it was sent after a SAE commit message that included an incorrect password identifier. The test steps for this are as below: 1. Peer sends an abnormal commit message with incorrect password identifier 2. APUT rejects as expected 3. Peer sends a valid commit message 4. APUT rejects again, which is not expected In step 2, as the abnormal data fakes an empty password identifier element, it passes sae_is_password_id_elem() checking. Memory is then allocated for sae->tmp->pw_id. The authentication process then fails due to no available password with this invalid password identifier. In step 4, though the peer sends a valid commit message, APUT rejects this SAE commit again due to no password identifier element (due to that sae->tmp->pw_id being set), which is not expected. Free the sae->tmp->pw_id field and set it to NULL when SAE commit message processing fails due to an unknown password identifier so that the bogus value is not used as a requirement for any consecutive SAE commit from the same STA before the STA entry gets cleared. Signed-off-by: Chenming Huang <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

Add a flag attribute QCA_WLAN_VENDOR_ATTR_TWT_SET_PARAM_UNAVAILABILITY_MODE into enum qca_wlan_vendor_attr_twt_set_param to configure the TWT responder unavailability outside of the SPs of its broadcast TWT schedule. Signed-off-by: Purushottam Kushwaha <[email protected]>

Use the existing QCA_WLAN_VENDOR_ATTR_TWT_SETUP_RESPONDER_PM_MODE attribute for TWT setup request to configure the Responder PM Mode bit in the control field of the TWT element or broadcast TWT schedule. Signed-off-by: Purushottam Kushwaha <[email protected]>

Add a vendor attribute to configure a STA to follow AP advertised preference values to select roam candidates with BTM. Signed-off-by: Jouni Malinen <[email protected]>

Instead of practically ignoring an odd octet at the end of the element, check for such invalid case explicitly. This is needed to avoid a potential group downgrade attack. Signed-off-by: Jouni Malinen <[email protected]>

When parsing a SAE Commit message, the temporary peer_rejected_groups parameter was left to its old value in cases where the new SAE Commit message did not include the Rejected Groups element. This could result in unexpected behavior if a previously processed SAE Commit message included a Rejected Groups element that claimed one of the enabled groups to be rejected. Explicitly clear the peer_rejected_groups value when parsing an SAE Commit message without a Rejected Groups element to avoid rejecting the new message based on some previously received incorrect information. This avoids some potential denial-of-service issues during the lifetime of the SAE temporary data. Signed-off-by: Jouni Malinen <[email protected]>

wpa_supplicant used to maintain the list of rejected groups for SAE over multiple failed attempts. This could have some DoS issues, so clear this list if SAE authentication attempts fails continuously. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

The rejected groups list is valid only during each individual SAE authentication instance and it should not be maintained between separate instances. In particular, it should not be maintained when roaming to another AP since the APs might use different configuration for the allowed SAE groups. Signed-off-by: Jouni Malinen <[email protected]>

…onfig Signed-off-by: Jouni Malinen <[email protected]>

This is in preparation for hostapd requiring this attribute for all cases. Signed-off-by: Jouni Malinen <[email protected]>

If a Message-Authenticator attribute was already added to a RADIUS message, use that attribute instead of adding a new one when finishing message building. This allows the Message-Authenticator attribute to be placed as the first attribute in the message. Signed-off-by: Jouni Malinen <[email protected]>

Move the Message-Authenticator attribute to be the first attribute in the RADIUS messages. This mitigates certain MD5 attacks against RADIUS/UDP. Signed-off-by: Jouni Malinen <[email protected]>

Even if this is not strictly speaking necessary for mitigating certain RADIUS protocol attacks, be consistent with the RADIUS server behavior and move the Message-Authenticator attribute to be the first attribute in the message from RADIUS client. Signed-off-by: Jouni Malinen <[email protected]>

Even if this is not strictly speaking necessary for mitigating certain RADIUS protocol attacks, be consistent with the RADIUS server behavior and move the Message-Authenticator attribute to be the first attribute in the message from RADIUS client in hostapd. Signed-off-by: Jouni Malinen <[email protected]>

Even if this might not be strictly speaking necessary for mitigating certain RADIUS protocol attacks, be consistent with the RADIUS server behavior and move the Message-Authenticator attribute to be the first attribute in the RADIUS DAS responses from hostapd. Signed-off-by: Jouni Malinen <[email protected]>

Do not allow the exception for missing Message-Authenticator in Access-Reject without EAP-Message. While such exception is allowed in RADIUS definition, there is no strong reason to maintain this since Access-Reject is supposed to include EAP-Message and even if it doesn't, discarding Access-Reject will result in the connection not completing. Signed-off-by: Jouni Malinen <[email protected]>

hostapd required Message-Authenticator attribute to be included in EAP authentication cases, but that requirement was not in place for MAC ACL cases. Start requiring Message-Authenticator attribute for MAC ACL by default. Unlike the EAP case, this can still be disabled with radius_require_message_authenticator=1 to maintain compatibility with some RADIUS servers when used in a network where the connection to such a server is secure. Signed-off-by: Jouni Malinen <[email protected]>

…ired Always check the Message-Authenticator attribute in a received RADIUS message if it is present. Previously, this would have been skipped if the attribute was not required to be present. Signed-off-by: Jouni Malinen <[email protected]>

The latest Linux kernel is mandating link ID with NL80211_CMD_TDLS_MGMT for MLO connections. This resulted in not being able to perform TDLS operations during a multi-link association. Fix this by sending link ID in NL80211_CMD_TDLS_MGMT when available. If link ID info is not available, send the link ID of the association link. Signed-off-by: Jouni Malinen <[email protected]>

Instead of practically ignoring an odd octet at the end of the element, check for such invalid case explicitly. This is needed to avoid a potential group downgrade attack. Fixes: 444d76f ("SAE: Check that peer's rejected groups are not enabled") Signed-off-by: Jouni Malinen <[email protected]>

There is no need to depend on all uses (i.e., both hostapd and wpa_supplicant) to verify that the length of the Rejected Groups field in the Rejected Groups element is valid (i.e., a multiple of two octets) since the common parser can reject the message when detecting this. Signed-off-by: Jouni Malinen <[email protected]>

In function handle_assoc(), ieee802_11_update_beacons() was used to update the Beacon frames. However, with commit a5d0bb4 ("Reduce delay between Association Request and Association Response"), it was changed to ieee802_11_set_beacons() which basically overturned what commit e59d2a3 ("hostapd: Fix premature beacon set during association handling") did which is not correct. Fix this and use ieee802_11_update_beacons() instead of ieee802_11_set_beacons(). Fixes: a5d0bb4 ("Reduce delay between Association Request and Association Response") Signed-off-by: Aditya Kumar Singh <[email protected]>

Almost same logic is there in handling four different commands related to color collision. Later when link ID needs to be parsed, it would be more duplicate logic at four different places. Hence refactor and bring it in a single function. No functionality changes. Signed-off-by: Aditya Kumar Singh <[email protected]>

When an HE BSS color event is received from the driver, the event was delevered to the first link BSS ctx. To support HE BSS color with MLO, there is a need to identify the correct link for which the event is intended. Add link ID parsing support in the event handler and pass the link ID (if included) down to the event handler so that appropriate link can be selected. Signed-off-by: Aditya Kumar Singh <[email protected]>

Currently color change test is supported only on the first link of the AP MLD. Extend the support to test on non-first link as well. Signed-off-by: Aditya Kumar Singh <[email protected]>

wpa_s_setup_sae_pt() derived SAE PT even when the configured key management options did not include SAE if the global sae_pwe configuration parameter had been changed to enable H2E. This adds unnecessary extra delay, so derive PT only if SAE is actually enabled in the network profile. Signed-off-by: Jouni Malinen <[email protected]>

Some deployed STAs that advertise SecureLTF support in the RSNXE in (Re)Association Request frames, do not derive KDK during PTK generation. Since the correct key calculations in the AP includes an additional KDK generation in such cases, this causes different PTK-KCK being derived and the AP ultimately discarding EAPOL-Key message 2/4 due to MIC validation failure. Try to derive a PTK without KDK as a workaround in such cases and allow the 4-way handshake to continue if this results in a matching MIC. Signed-off-by: Sai Pratyusha Magam <[email protected]>

Since 0ce1545 ("nl80211: Determine maximum number of supported AKMs") we get the maximum number of supported AKMs from the kernel. Let's use that instead of the legacy NL80211_MAX_NR_AKM_SUITES when setting up AP mode operation. Signed-off-by: Sascha Hauer <[email protected]>

Using D-Bus it is possible to trigger a valid UPnP SD request where "tlv" is specified: in this case "tlv" is allocated, and then not used nor freed. Valgrind complains as follows: 72 bytes in 2 blocks are definitely lost in loss record 46 of 68 at 0x484C214: calloc (vg_replace_malloc.c:1675) by 0x41C673: wpabuf_alloc (wpabuf.c:124) by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162) by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928) by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356) by 0x53B9A2: message_handler (dbus_new_helpers.c:412) by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13) by 0x5495DF: dispatch_data (dbus_common.c:37) by 0x5495DF: process_watch (dbus_common.c:73) by 0x5495DF: process_watch_read (dbus_common.c:89) by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603) by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597) by 0x41FA46: eloop_run (eloop.c:1233) by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074) by 0x40DB06: main (main.c:393) Fix it ensuring that "tlv" is freed, both in the error and non-error path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in test_dbus.py to verify correct behavior. Signed-off-by: Davide Caratti <[email protected]>

…response Using D-Bus it is possible to request an invalid SD response where "tlvs" is specified and there is an unknown key (e.g. "bar": "foo"). In this case, "tlv" is allocated and then never used nor freed. Valgrind complains as follows: 36 bytes in 1 blocks are definitely lost in loss record 20 of 74 at 0x484C214: calloc (vg_replace_malloc.c:1675) by 0x41C673: wpabuf_alloc (wpabuf.c:124) by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162) by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016) by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356) by 0x53B9A2: message_handler (dbus_new_helpers.c:412) by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13) by 0x5495DF: dispatch_data (dbus_common.c:37) by 0x5495DF: process_watch (dbus_common.c:73) by 0x5495DF: process_watch_read (dbus_common.c:89) by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603) by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597) by 0x41FA46: eloop_run (eloop.c:1233) by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074) by 0x40DB06: main (main.c:393) Fix it ensuring that "tlv" is freed both in the error and non-error path of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in test_dbus.py to verify correct behavior. Signed-off-by: Davide Caratti <[email protected]>

…ters Explicitly free the previously allocated copy if ServiceDiscoveryRequest or Service DiscvoveryResponse parsing loop finds multiple instances of the same dict entry. Signed-off-by: Jouni Malinen <[email protected]>

When ignoring a link BSSID the multi-link information was parsed out into a struct ml_sta_link_info on the stack. However, this stack variable went out of scope before it was used by passing the link_bssids pointer array to another function. Fixes: 5af986c ("MLD: Also mark links as failed after association failure") Signed-off-by: Benjamin Berg <[email protected]>

The consumer of the link_bssid array assumes it is a NULL terminated array of BSSIDs. As such, add one to the maximum number of links to ensure that there is always a sentinel value. Fixes: 5af986c ("MLD: Also mark links as failed after association failure") Signed-off-by: Benjamin Berg <[email protected]>

If the kck_len is 0 then the pointer may be NULL. If that happens UBSAN complains about the NULL pointer as memcpy() has the arguments declared to never be NULL even if the copied number of bytes were zero. Signed-off-by: Benjamin Berg <[email protected]>

The test expects rsn_pmkid_suite_b_192() to fail but specified only rsn_pmkid_suite_b without the _192 postfix. Add the postfix so that the function matching can be fixed later. Signed-off-by: Benjamin Berg <[email protected]>

The test here is triggering the allocation failure in the static wpa_config_parse_password() helper. Use this and decrease the count instead of matching both wpa_config_set_quoted() and wpa_config_set() and counting down based on that. This is in preparation to fix the failure function matching to not do a prefix match. Signed-off-by: Benjamin Berg <[email protected]>

The wpas_p2p_nfc_handover failure test and the more specific wps_build_nfc_handover_req_p2p were effectively the same as the matching currently does a prefix match. The code-path tested in these two cases only hit a single TEST_FAIL macro in openssl_digest_vector. Signed-off-by: Benjamin Berg <[email protected]>

It seems that sha256_prf may not always be in the stack trace for failure checking, possibly due to tail call optimization as it simply calls sha256_prf_bits with updated parameters. Simply match against sha256_prf_bits directly to avoid issues due to optimizations. Signed-off-by: Benjamin Berg <[email protected]>

The functions specified by the user might be longer than the function in the backtrace, potentially overflowing the memcmp(). In practice, it should not be a relevant out-of-memory read. However, we can use strncmp() instead. Note that, as before, this is only a prefix match. If a function name is longer in the backtrace it will still match. Signed-off-by: Benjamin Berg <[email protected]>

The matching code currently only tests whether the prefix of a function matches. Make this more strict by ensuring that the function name is not longer. However, as this breaks some tests (due to inlining), add the ability to do an explicit prefix match by appending a '*' to the function name. Use this to change the eap_eke_prf match to eap_eke_prf_* in order to match one of the actual implementations. Signed-off-by: Benjamin Berg <[email protected]>

wpa_supplicant will generally never allocate a memory block of that size. We can therefore assume that it belongs to ASAN and we need to ignore it. Signed-off-by: Benjamin Berg <[email protected]>

In case the scan request handling fails, exit cleanly, i.e., without setting internal state such as the 'scan_res_handler' pointer. Signed-off-by: Ilan Peer <[email protected]>

On the AP responder side, KDK was derived if the driver advertises WPA_DRIVER_FLAGS2_SEC_LTF_AP. That is not correct, i.e., this needs to also depend on the initiator indicating support for this in the RSNXE of PASN authentication frame 1. Signed-off-by: Sai Pratyusha Magam <[email protected]>

Add a new "ssid_verified=1" entry into the control interface STATUS command output if the SSID has been verified for the current association. This verification may have been done implicitly (e.g., with SAE H2E and FT protocol binding in the SSID into key derivation or with FILS protecting the SSID element in the (Re)Association Request frame) or explicitly with the recently added SSID protection mechanism during the 4-way handshake. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

The new "bigtk_set=1" entry in the control interface STATUS command output indicates that a BIGTK has been successfully configured. This shows that beacon protection has been enabled for the current association. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

This is a variant of wpa_bss_get_ie() to allow IEs to be checked from only Beacon frames similarly to how wpa_bss_get_vendor_ie_beacon() behaves for vendor specific elements. Signed-off-by: Jouni Malinen <[email protected]>

If SSID was not verified during the initial setup of an association, but beacon protection was negotiated, try verify the SSID based on Beacon frames that have been received after the first BIGTK has been configured. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

When the wiphy supports multiple bands and reports different capability values between 5 GHz and 6 GHz channels, the 6 GHz mesh interface is unable to correctly map the channel width in function ibss_mesh_setup_freq(). This issue arises because the modes of 5 GHz and 6 GHz interfaces are the same (HOSTAPD_MODE_IEEE80211A) in supported modes. To address this, use function get_mode() to determine the appropriate mode during mesh setup. This will iterates through all the hw_features sets and ensures compatibility with the band of the channel supported in hw_features set. Signed-off-by: Harshitha Prem <[email protected]>

hostapd_cli chan_switch command fails in 2.4 GHz band for HE and EHT modes if the user does not explicitly specify 'ht' option in the command. For example: "hostapd_cli -i wlan2 chan_switch 10 2412 sec_channel_offset=0 \ center_freq1=2412 bandwidth=20 blocktx he" Fix this by enabling HT by default if HE is enabled in the 2.4 GHz and 5 GHz bands. Similarly, enable VHT by default when HE is enabled in the 5 GHz band. Signed-off-by: Pradeep Kumar Chitrapu <[email protected]>

While TKIP should not really be used at all anymore and is not allowed for WPA3 (which is required for Wi-Fi 7), there are some deployed APs that allow WPA2 PSK to be used with MLO and even allowing WPA+WPA2 mode with TKIP as the group cipher). IEEE P802.11be/D5.0 does not seem to explicitly disallow this combination, so handle the MLO GTK KDE key processing similarly to the way GTK KDE is processed, i.e., including swapping of Michael MIC Tx and Rx keys for TKIP. This fixes issues with Michael MIC failures if TKIP is used as a group cipher for a multi-link association. Signed-off-by: Jouni Malinen <[email protected]>

Update the documentation to reflect the ACS algorithm used in the code. No functionality change. Signed-off-by: Hari Naraayana Desikan Kannan <[email protected]>

The current ACS algorithm incorrectly returns success even when there is no survey list, leading to improper interference factor calculation. This leads to treating 0 as a valid interference factor, which affects channel selection judgment. Fix the issue by ensuring success is only returned when the survey list is not empty, thereby ignoring non-zero values in the interference factor calculation. Signed-off-by: Hari Naraayana Desikan Kannan <[email protected]>

Currently, when the ACS is updating the puncturing bitmap, the function acs_update_puncturing_bitmap() sets the primary channel bitmap to 0. This leads to a potential issue where the primary channel could be punctured if ACS selects a different best channel within the same segment. To fix this issue, ensure that the primary channel bitmap is correctly set by calculating the index of the primary channel based on the frequency difference between the current channel and the best channel in the segment, and is then passed to acs_update_puncturing_bitmap(). Fixes: af0f60e ("EHT: Calculate puncturing bitmap for ACS") Signed-off-by: Hari Naraayana Desikan Kannan <[email protected]>

…r BSS SAE rejected groups were not cleared in case of re-association to the same ESS. Since new BSS can support different groups, keeping rejected groups doesn't make sense and may result in AP rejecting the authentication. Fix it. Signed-off-by: Andrei Otcheretianski <[email protected]>

This is a convenient helper function for using int_array instances. Signed-off-by: Andrei Otcheretianski <[email protected]>

Make sure that sme_set_sae_group() doesn't select a group that was previously rejected during this instance of SAE authentication. Signed-off-by: Andrei Otcheretianski <[email protected]>

The test assumes that STA will try to reconnect with the same SAE group after the first authentication attempt is rejected due to unsupported group. Since this behaviour is fixed in the previous patch, configure two different groups to trigger the second authentication attempt. Signed-off-by: Andrei Otcheretianski <[email protected]>

Using just sta_find() won't work for any link addresses but the assoc link, use sta_find_mlo() instead. Signed-off-by: Johannes Berg <[email protected]>

In the case that the AP MLD is disabled and enabled again, flush the wpa_supplicant BSS table before reconnecting as otherwise the previous AP MLD BSSs would be in the BSS table and the wpa_supplicant would try to connect to them. Signed-off-by: Ilan Peer <[email protected]>

Instead of checking the latest scan results every second indefinitely, add more latency between the checks in case the driver does not update the time stamp value (i.e., does not report new Beacon frames during an association). Signed-off-by: Jouni Malinen <[email protected]>

Clear scan results at the beginning of the test case to avoid incorrect behavior if there are multiple entries for the same BSS. In addition, use a bit longer wait for receiving an updated Beacon frame in scan results. Signed-off-by: Jouni Malinen <[email protected]>

When the first link is deleted and there are still remaining links, drv->ctx should be updated to the new default link on the bss. Otherwise, drv->ctx points to the address that has already been freed and makes hostapd crash. Fixes: d2b62b3 ("AP MLD: Support link removal before removing interface") Signed-off-by: Michael-CY Lee <[email protected]>

The 'req_instance' parameter in transmit command should be 'req_instance_id'. Fixes: e3f9ab3 ("NAN: USD in wpa_supplicant") Signed-off-by: Chien Wong <[email protected]>

The Wi-Fi Aware Specification v4.0 only defines unsolicited transmissions only, solicited transmissions only and both unsolicited and solicited transmissions publish. The other possibility is undefined so we should reject it. Signed-off-by: Chien Wong <[email protected]>

Signed-off-by: Chien Wong <[email protected]>

The USD passive subscriber and solicited transmission only publisher require receiving multicast NAN action frames in order to work. Currently, we are not requesting to receive multicast when registering NAN action frames. As a result, USD passive subscribe or solicited only publish may not work. The NL80211_ATTR_RECEIVE_MULTICAST attribute corresponds to wiphy ext feature NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS, which requires driver support and only a few drivers in the kernel tree support it. Namely ath9k, ath9k_htc, ath10k and hwsim. We should fall back to register non multicast action frames if the driver has no support. It was confirmed that ath9k_htc starts to work after the changes. Note that even without requesting to receive multicast Action frames, some drivers would still upload them. For example, rtl8192cu and hwsim. This is why test cases like test_nan_usd_match would not fail. Tested-on: TP-LINK TL-WN821N v3(AR7010+AR9287, ath9k_htc) Signed-off-by: Chien Wong <[email protected]>

I've run into a case where I can bring a 2.4 GHz AP up without it being in a bridge while I used the 'bridge=' config option. This happens when the HT scan needed for 40 MHz operation failed to start from the get go because another dev on the same phy was already in a scan. At the end the AP is up and running but not added into any bridge. Upon looking at the code, it seems that some hardware fails to issue a scan while in AP and thus we have a fallback that switches the interface from AP to STA before retrying another scan (it will change it back to AP later on when finished). As we cannot have a (non-WDS) STA in a bridge, during that procedure, we also remove/add the AP/STA from/to the bridge as needed. However, in wpa_driver_nl80211_scan() we do not set drv->ap_scan_as_station until the end of the switch-to-sta & retry-scan-start block. This means that when the recursive call to wpa_driver_nl80211_scan() fails (the hardware is busy in my case) we restore the interface to AP with wpa_driver_nl80211_set_mode() but that will not add it back to the bridge. Problem. To fix this lets always set drv->ap_scan_as_station before calling wpa_driver_nl80211_set_mode(). In case wpa_driver_nl80211_set_mode() or wpa_driver_nl80211_scan() fails lets call nl80211_restore_ap_mode() that will set the mode back to AP but also handle the bridge thing as needed. Signed-off-by: Nicolas Escande <[email protected]>

Reduce the number of unwanted SAE commit retries in synchronization error cases when Sync > dot11RSNASAESync in mesh cases by discarding received SAE commit messages for 10 seconds after a sync error has been detected. Signed-off-by: Jouni Malinen <[email protected]>

Going through five extra rounds of SAE commit messages in cases where SAE peers are somehow unsynchronized feels unnecessary much to do by default, so drop the default value to 3. Signed-off-by: Jouni Malinen <[email protected]>

Signed-off-by: Jouni Malinen <[email protected]>

This is needed to add the WDS interface for a STA with stricter implementation checks. Signed-off-by: Jouni Malinen <[email protected]>

When multi_ap is active, hostapd creates an AP-VLAN interface for 4addr stations, even though wds_sta is not configured. A check should be added to determine if wds_sta is active before re-enabling the WDS mode by creating an AP-VLAN for 4addr stations. Signed-off-by: Baligh Gasmi <[email protected]>

During CSA with DFS channels, disable, enable interface is a part of the algorithm. When interface was enabled old operating class before switch and new channel were used causing mismatch in configured_fixed_chan_to_freq() function. Example of log when switch from channel 157 to 108 was triggered: "Could not convert op_class 124 channel 108 to operating frequency" Fixes: bb781c7 ("AP: Populate iface->freq before starting AP") Signed-off-by: Marek Kwaczynski <[email protected]>

Add test to validate CSA between non DFS channel and DFS channel with different operating class. Signed-off-by: Marek Kwaczynski <[email protected]>

Non-AP MLD finds AP MLD's partner links by BSSID from the scan results. However, if the scan results contain BSSs with the same BSSID but different BSS information, the non-AP MLD might assign a wrong BSS to one of the AP MLD's partner links. Avoids the problem by using both BSSID and SSID to find the AP MLD's partner links. Signed-off-by: Michael-CY Lee <[email protected]>

Currently wpa_ft_parse_ies() is setting FTE information to wpa_buf pointer data which is generated after defragmentation. This data will not contain FTE and Fragment element(s) headers. IEEE P802.11be/D5.0 describes the MIC to be calculated on the concatenation of FTE and corresponding Fragment element(s) which implies the element headers are included for each element in the fragmented case. Fix this by correctly populating FTE information when FTE is fragmented. Fixes: 43b5f11 ("Defragmentation of FTE") Signed-off-by: Veerendranath Jakkam <[email protected]>

In the hostapd_cleanup_driver() function, the NULL check for the driver private data (drv_priv) is located within the CONFIG_IEEE80211BE feature flag. As a result, on platforms where CONFIG_IEEE80211BE is not defined, driver->hapd_deinit(drv_priv) is called with drv_priv set to NULL. This leads to a null pointer exception in wpa_driver_nl80211_deinit(). To address this issue, move the NULL check for drv_priv outside the CONFIG_IEEE80211BE build flag. This ensures that the check is performed regardless of the value of CONFIG_IEEE80211BE, preventing the NULL pointer exception. Fixes: df34c2c ("AP MLD: De-initialize/disable link BSS properly") Signed-off-by: Sunil Ravi <[email protected]>

SignalChange should be defined as a property of an interface. Previously, it was incorrectly defined as a property of P2P peers. Fixes: 7a7ce95 ("dbus: Emit more information over D-Bus") Signed-off-by: David Ruth <[email protected]>

Using D-Bus, it is possible to add a valid UPnP service where 'query' and 'response' are specified. In this case, memory for 'query' and 'response' is allocated but not used nor freed. Valgrind complains as follows: 42 bytes in 1 blocks are definitely lost in loss record 32 of 75 at 0x484C214: calloc (vg_replace_malloc.c:1675) by 0x41C673: wpabuf_alloc (wpabuf.c:124) by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162) by 0x54F41A: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2762) by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356) by 0x53B9A2: message_handler (dbus_new_helpers.c:412) by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13) by 0x5495DF: dispatch_data (dbus_common.c:37) by 0x5495DF: process_watch (dbus_common.c:73) by 0x5495DF: process_watch_read (dbus_common.c:89) by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603) by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597) by 0x41FA46: eloop_run (eloop.c:1233) by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074) by 0x40DB06: main (main.c:393) 49 bytes in 1 blocks are definitely lost in loss record 37 of 75 at 0x484C214: calloc (vg_replace_malloc.c:1675) by 0x41C673: wpabuf_alloc (wpabuf.c:124) by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162) by 0x54F348: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2755) by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356) by 0x53B9A2: message_handler (dbus_new_helpers.c:412) by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13) by 0x5495DF: dispatch_data (dbus_common.c:37) by 0x5495DF: process_watch (dbus_common.c:73) by 0x5495DF: process_watch_read (dbus_common.c:89) by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603) by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597) by 0x41FA46: eloop_run (eloop.c:1233) by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074) by 0x40DB06: main (main.c:393) Fix this ensuring that query and resp are freed both in the error and non-error path of wpas_dbus_handler_p2p_add_service(). Also, add a test in test_dbus.py to verify the correct behavior. Signed-off-by: Davide Caratti <[email protected]>

Update the version number for the build and also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.10 and v2.11. Update the copyright years for the main programs. Signed-off-by: Jouni Malinen <[email protected]>

hostapd/wpa_supplicant 2.11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

upmerge hostap 2.11 #66

upmerge hostap 2.11 #66

Commits on Mar 26, 2024

Commits on Mar 27, 2024

Commits on Apr 4, 2024

Commits on Apr 5, 2024

Commits on Apr 12, 2024

Commits on Apr 15, 2024

Commits on Apr 16, 2024

Commits on Apr 17, 2024

Commits on Apr 19, 2024

Commits on Apr 20, 2024

Commits on Apr 21, 2024

Commits on Apr 22, 2024

Commits on Apr 23, 2024

Commits on Apr 24, 2024

Commits on Apr 25, 2024

Commits on May 7, 2024

Commits on May 10, 2024

Commits on May 29, 2024

Commits on Jun 7, 2024

Commits on Jun 10, 2024

Commits on Jun 11, 2024

Commits on Jun 12, 2024

Commits on Jun 13, 2024

Commits on Jun 19, 2024

Commits on Jun 20, 2024

Commits on Jul 7, 2024

Commits on Jul 9, 2024

Commits on Jul 11, 2024

Commits on Jul 12, 2024

Commits on Jul 13, 2024

Commits on Jul 15, 2024

Commits on Jul 20, 2024

Commits on Nov 20, 2024

upmerge hostap 2.11 #66

Are you sure you want to change the base?

upmerge hostap 2.11 #66

Commits on Mar 26, 2024

Commits on Mar 27, 2024

Commits on Apr 4, 2024

Commits on Apr 5, 2024

Commits on Apr 12, 2024

Commits on Apr 15, 2024

Commits on Apr 16, 2024

Commits on Apr 17, 2024

Commits on Apr 19, 2024

Commits on Apr 20, 2024

Commits on Apr 21, 2024

Commits on Apr 22, 2024

Commits on Apr 23, 2024

Commits on Apr 24, 2024

Commits on Apr 25, 2024

Commits on May 7, 2024

Commits on May 10, 2024

Commits on May 29, 2024

Commits on Jun 7, 2024

Commits on Jun 10, 2024

Commits on Jun 11, 2024

Commits on Jun 12, 2024

Commits on Jun 13, 2024

Commits on Jun 19, 2024

Commits on Jun 20, 2024

Commits on Jul 7, 2024

Commits on Jul 9, 2024

Commits on Jul 11, 2024

Commits on Jul 12, 2024

Commits on Jul 13, 2024

Commits on Jul 15, 2024

Commits on Jul 20, 2024

Commits on Nov 20, 2024