wpa_supplicant: Fix seg fault in wpas_ctrl_radio_work_flush() in error case

[mech_eap.git] / wpa_supplicant / ctrl_iface.c
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c

index 0495c5b..ec79de3 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -1,6 +1,6 @@
  /*
   * WPA Supplicant / Control interface (shared code for all backends)
- * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
   *
   * This software may be distributed under the terms of the BSD license.
   * See README for more details.
@@ -10,6 +10,7 @@
  
  #include "utils/common.h"
  #include "utils/eloop.h"
+#include "utils/uuid.h"
  #include "common/version.h"
  #include "common/ieee802_11_defs.h"
  #include "common/ieee802_11_common.h"
@@ -40,8 +41,6 @@
  #include "autoscan.h"
  #include "wnm_sta.h"
  
-extern struct wpa_driver_ops *wpa_drivers[];
-
  static int wpa_supplicant_global_iface_list(struct wpa_global *global,
                                             char *buf, int len);
  static int wpa_supplicant_global_iface_interfaces(struct wpa_global *global,
@@ -1629,6 +1628,17 @@ static int wpa_supplicant_ctrl_iface_status(struct wpa_supplicant *wpa_s,
         if (res >= 0)
                 pos += res;
  
+#ifdef CONFIG_WPS
+       {
+               char uuid_str[100];
+               uuid_bin2str(wpa_s->wps->uuid, uuid_str, sizeof(uuid_str));
+               ret = os_snprintf(pos, end - pos, "uuid=%s\n", uuid_str);
+               if (ret < 0 || ret >= end - pos)
+                       return pos - buf;
+               pos += ret;
+       }
+#endif /* CONFIG_WPS */
+
  #ifdef ANDROID
         wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_STATE_CHANGE
                      "id=%d state=%d BSSID=" MACSTR " SSID=%s",
@@ -1740,9 +1750,6 @@ static int wpa_supplicant_ctrl_iface_blacklist(struct wpa_supplicant *wpa_s,
  }
  
  
-extern int wpa_debug_level;
-extern int wpa_debug_timestamp;
-
  static const char * debug_level_str(int level)
  {
         switch (level) {
@@ -3645,6 +3652,7 @@ static int p2p_ctrl_find(struct wpa_supplicant *wpa_s, char *cmd)
         unsigned int timeout = atoi(cmd);
         enum p2p_discovery_type type = P2P_FIND_START_WITH_FULL;
         u8 dev_id[ETH_ALEN], *_dev_id = NULL;
+       u8 dev_type[WPS_DEV_TYPE_LEN], *_dev_type = NULL;
         char *pos;
         unsigned int search_delay;
  
@@ -3661,6 +3669,14 @@ static int p2p_ctrl_find(struct wpa_supplicant *wpa_s, char *cmd)
                 _dev_id = dev_id;
         }
  
+       pos = os_strstr(cmd, "dev_type=");
+       if (pos) {
+               pos += 9;
+               if (wps_dev_type_str2bin(pos, dev_type) < 0)
+                       return -1;
+               _dev_type = dev_type;
+       }
+
         pos = os_strstr(cmd, "delay=");
         if (pos) {
                 pos += 6;
@@ -3668,8 +3684,8 @@ static int p2p_ctrl_find(struct wpa_supplicant *wpa_s, char *cmd)
         } else
                 search_delay = wpas_p2p_search_delay(wpa_s);
  
-       return wpas_p2p_find(wpa_s, timeout, type, 0, NULL, _dev_id,
-                            search_delay);
+       return wpas_p2p_find(wpa_s, timeout, type, _dev_type != NULL, _dev_type,
+                            _dev_id, search_delay);
  }
  
  
@@ -4657,7 +4673,68 @@ static int p2p_ctrl_remove_client(struct wpa_supplicant *wpa_s, const char *cmd)
  #endif /* CONFIG_P2P */
  
  
+static int * freq_range_to_channel_list(struct wpa_supplicant *wpa_s, char *val)
+{
+       struct wpa_freq_range_list ranges;
+       int *freqs = NULL;
+       struct hostapd_hw_modes *mode;
+       u16 i;
+
+       if (wpa_s->hw.modes == NULL)
+               return NULL;
+
+       os_memset(&ranges, 0, sizeof(ranges));
+       if (freq_range_list_parse(&ranges, val) < 0)
+               return NULL;
+
+       for (i = 0; i < wpa_s->hw.num_modes; i++) {
+               int j;
+
+               mode = &wpa_s->hw.modes[i];
+               for (j = 0; j < mode->num_channels; j++) {
+                       unsigned int freq;
+
+                       if (mode->channels[j].flag & HOSTAPD_CHAN_DISABLED)
+                               continue;
+
+                       freq = mode->channels[j].freq;
+                       if (!freq_range_list_includes(&ranges, freq))
+                               continue;
+
+                       int_array_add_unique(&freqs, freq);
+               }
+       }
+
+       os_free(ranges.range);
+       return freqs;
+}
+
+
  #ifdef CONFIG_INTERWORKING
+
+static int ctrl_interworking_select(struct wpa_supplicant *wpa_s, char *param)
+{
+       int auto_sel = 0;
+       int *freqs = NULL;
+
+       if (param) {
+               char *pos;
+
+               auto_sel = os_strstr(param, "auto") != NULL;
+
+               pos = os_strstr(param, "freq=");
+               if (pos) {
+                       freqs = freq_range_to_channel_list(wpa_s, pos + 5);
+                       if (freqs == NULL)
+                               return -1;
+               }
+
+       }
+
+       return interworking_select(wpa_s, auto_sel, freqs);
+}
+
+
  static int ctrl_interworking_connect(struct wpa_supplicant *wpa_s, char *dst)
  {
         u8 bssid[ETH_ALEN];
@@ -4781,9 +4858,8 @@ static int gas_response_get(struct wpa_supplicant *wpa_s, char *cmd, char *buf,
         int used;
         char *pos;
         size_t resp_len, start, requested_len;
-
-       if (!wpa_s->last_gas_resp)
-               return -1;
+       struct wpabuf *resp;
+       int ret;
  
         used = hwaddr_aton2(cmd, addr);
         if (used < 0)
@@ -4794,11 +4870,18 @@ static int gas_response_get(struct wpa_supplicant *wpa_s, char *cmd, char *buf,
                 pos++;
         dialog_token = atoi(pos);
  
-       if (os_memcmp(addr, wpa_s->last_gas_addr, ETH_ALEN) != 0 ||
-           dialog_token != wpa_s->last_gas_dialog_token)
+       if (wpa_s->last_gas_resp &&
+           os_memcmp(addr, wpa_s->last_gas_addr, ETH_ALEN) == 0 &&
+           dialog_token == wpa_s->last_gas_dialog_token)
+               resp = wpa_s->last_gas_resp;
+       else if (wpa_s->prev_gas_resp &&
+                os_memcmp(addr, wpa_s->prev_gas_addr, ETH_ALEN) == 0 &&
+                dialog_token == wpa_s->prev_gas_dialog_token)
+               resp = wpa_s->prev_gas_resp;
+       else
                 return -1;
  
-       resp_len = wpabuf_len(wpa_s->last_gas_resp);
+       resp_len = wpabuf_len(resp);
         start = 0;
         requested_len = resp_len;
  
@@ -4819,9 +4902,24 @@ static int gas_response_get(struct wpa_supplicant *wpa_s, char *cmd, char *buf,
         if (requested_len * 2 + 1 > buflen)
                 return os_snprintf(buf, buflen, "FAIL-Too long response");
  
-       return wpa_snprintf_hex(buf, buflen,
-                               wpabuf_head_u8(wpa_s->last_gas_resp) + start,
-                               requested_len);
+       ret = wpa_snprintf_hex(buf, buflen, wpabuf_head_u8(resp) + start,
+                              requested_len);
+
+       if (start + requested_len == resp_len) {
+               /*
+                * Free memory by dropping the response after it has been
+                * fetched.
+                */
+               if (resp == wpa_s->prev_gas_resp) {
+                       wpabuf_free(wpa_s->prev_gas_resp);
+                       wpa_s->prev_gas_resp = NULL;
+               } else {
+                       wpabuf_free(wpa_s->last_gas_resp);
+                       wpa_s->last_gas_resp = NULL;
+               }
+       }
+
+       return ret;
  }
  #endif /* CONFIG_INTERWORKING */
  
@@ -5160,6 +5258,10 @@ static void wpa_supplicant_ctrl_iface_flush(struct wpa_supplicant *wpa_s)
         wpas_p2p_stop_find(wpa_s);
         p2p_ctrl_flush(wpa_s);
         wpas_p2p_group_remove(wpa_s, "*");
+       wpas_p2p_service_flush(wpa_s);
+       wpa_s->global->p2p_disabled = 0;
+       wpa_s->global->p2p_per_sta_psk = 0;
+       wpa_s->conf->num_sec_device_types = 0;
  #endif /* CONFIG_P2P */
  
  #ifdef CONFIG_WPS_TESTING
@@ -5167,6 +5269,7 @@ static void wpa_supplicant_ctrl_iface_flush(struct wpa_supplicant *wpa_s)
         wps_testing_dummy_cred = 0;
  #endif /* CONFIG_WPS_TESTING */
  #ifdef CONFIG_WPS
+       wpa_s->wps_fragment_size = 0;
         wpas_wps_cancel(wpa_s);
  #endif /* CONFIG_WPS */
         wpa_s->after_wps = 0;
@@ -5203,49 +5306,215 @@ static void wpa_supplicant_ctrl_iface_flush(struct wpa_supplicant *wpa_s)
         wpa_s->extra_blacklist_count = 0;
         wpa_supplicant_ctrl_iface_remove_network(wpa_s, "all");
         wpa_supplicant_ctrl_iface_remove_cred(wpa_s, "all");
+       wpa_config_flush_blobs(wpa_s->conf);
+
+       wpa_sm_set_param(wpa_s->wpa, RSNA_PMK_LIFETIME, 43200);
+       wpa_sm_set_param(wpa_s->wpa, RSNA_PMK_REAUTH_THRESHOLD, 70);
+       wpa_sm_set_param(wpa_s->wpa, RSNA_SA_TIMEOUT, 60);
+       eapol_sm_notify_logoff(wpa_s->eapol, FALSE);
+
+       radio_remove_unstarted_work(wpa_s, NULL);
  }
  
  
-static void wpas_ctrl_eapol_response(void *eloop_ctx, void *timeout_ctx)
+static int wpas_ctrl_radio_work_show(struct wpa_supplicant *wpa_s,
+                                    char *buf, size_t buflen)
  {
-       struct wpa_supplicant *wpa_s = eloop_ctx;
-       eapol_sm_notify_ctrl_response(wpa_s->eapol);
+       struct wpa_radio_work *work;
+       char *pos, *end;
+       struct os_reltime now, diff;
+
+       pos = buf;
+       end = buf + buflen;
+
+       os_get_reltime(&now);
+
+       dl_list_for_each(work, &wpa_s->radio->work, struct wpa_radio_work, list)
+       {
+               int ret;
+
+               os_reltime_sub(&now, &work->time, &diff);
+               ret = os_snprintf(pos, end - pos, "%s@%s:%u:%u:%ld.%06ld\n",
+                                 work->type, work->wpa_s->ifname, work->freq,
+                                 work->started, diff.sec, diff.usec);
+               if (ret < 0 || ret >= end - pos)
+                       break;
+               pos += ret;
+       }
+
+       return pos - buf;
  }
  
  
-static int set_scan_freqs(struct wpa_supplicant *wpa_s, char *val)
+static void wpas_ctrl_radio_work_timeout(void *eloop_ctx, void *timeout_ctx)
  {
-       struct wpa_freq_range_list ranges;
-       int *freqs = NULL;
-       struct hostapd_hw_modes *mode;
-       u16 i;
+       struct wpa_radio_work *work = eloop_ctx;
+       struct wpa_external_work *ework = work->ctx;
  
-       if (wpa_s->hw.modes == NULL)
+       wpa_dbg(work->wpa_s, MSG_DEBUG,
+               "Timing out external radio work %u (%s)",
+               ework->id, work->type);
+       wpa_msg(work->wpa_s, MSG_INFO, EXT_RADIO_WORK_TIMEOUT "%u", ework->id);
+       os_free(ework);
+       radio_work_done(work);
+}
+
+
+static void wpas_ctrl_radio_work_cb(struct wpa_radio_work *work, int deinit)
+{
+       struct wpa_external_work *ework = work->ctx;
+
+       if (deinit) {
+               os_free(ework);
+               return;
+       }
+
+       wpa_dbg(work->wpa_s, MSG_DEBUG, "Starting external radio work %u (%s)",
+               ework->id, ework->type);
+       wpa_msg(work->wpa_s, MSG_INFO, EXT_RADIO_WORK_START "%u", ework->id);
+       if (!ework->timeout)
+               ework->timeout = 10;
+       eloop_register_timeout(ework->timeout, 0, wpas_ctrl_radio_work_timeout,
+                              work, NULL);
+}
+
+
+static int wpas_ctrl_radio_work_add(struct wpa_supplicant *wpa_s, char *cmd,
+                                   char *buf, size_t buflen)
+{
+       struct wpa_external_work *ework;
+       char *pos, *pos2;
+       size_t type_len;
+       int ret;
+       unsigned int freq = 0;
+
+       /* format: <name> [freq=<MHz>] [timeout=<seconds>] */
+
+       ework = os_zalloc(sizeof(*ework));
+       if (ework == NULL)
                 return -1;
  
-       os_memset(&ranges, 0, sizeof(ranges));
-       if (freq_range_list_parse(&ranges, val) < 0)
+       pos = os_strchr(cmd, ' ');
+       if (pos) {
+               type_len = pos - cmd;
+               pos++;
+
+               pos2 = os_strstr(pos, "freq=");
+               if (pos2)
+                       freq = atoi(pos2 + 5);
+
+               pos2 = os_strstr(pos, "timeout=");
+               if (pos2)
+                       ework->timeout = atoi(pos2 + 8);
+       } else {
+               type_len = os_strlen(cmd);
+       }
+       if (4 + type_len >= sizeof(ework->type))
+               type_len = sizeof(ework->type) - 4 - 1;
+       os_strlcpy(ework->type, "ext:", sizeof(ework->type));
+       os_memcpy(ework->type + 4, cmd, type_len);
+       ework->type[4 + type_len] = '\0';
+
+       wpa_s->ext_work_id++;
+       if (wpa_s->ext_work_id == 0)
+               wpa_s->ext_work_id++;
+       ework->id = wpa_s->ext_work_id;
+
+       if (radio_add_work(wpa_s, freq, ework->type, 0, wpas_ctrl_radio_work_cb,
+                          ework) < 0) {
+               os_free(ework);
                 return -1;
+       }
  
-       for (i = 0; i < wpa_s->hw.num_modes; i++) {
-               int j;
+       ret = os_snprintf(buf, buflen, "%u", ework->id);
+       if (ret < 0 || (size_t) ret >= buflen)
+               return -1;
+       return ret;
+}
  
-               mode = &wpa_s->hw.modes[i];
-               for (j = 0; j < mode->num_channels; j++) {
-                       unsigned int freq;
  
-                       if (mode->channels[j].flag & HOSTAPD_CHAN_DISABLED)
-                               continue;
+static int wpas_ctrl_radio_work_done(struct wpa_supplicant *wpa_s, char *cmd)
+{
+       struct wpa_radio_work *work;
+       unsigned int id = atoi(cmd);
  
-                       freq = mode->channels[j].freq;
-                       if (!freq_range_list_includes(&ranges, freq))
-                               continue;
+       dl_list_for_each(work, &wpa_s->radio->work, struct wpa_radio_work, list)
+       {
+               struct wpa_external_work *ework;
  
-                       int_array_add_unique(&freqs, freq);
-               }
+               if (os_strncmp(work->type, "ext:", 4) != 0)
+                       continue;
+               ework = work->ctx;
+               if (id && ework->id != id)
+                       continue;
+               wpa_dbg(wpa_s, MSG_DEBUG,
+                       "Completed external radio work %u (%s)",
+                       ework->id, ework->type);
+               eloop_cancel_timeout(wpas_ctrl_radio_work_timeout, work, NULL);
+               os_free(ework);
+               radio_work_done(work);
+               return 3; /* "OK\n" */
         }
  
-       os_free(ranges.range);
+       return -1;
+}
+
+
+static int wpas_ctrl_radio_work(struct wpa_supplicant *wpa_s, char *cmd,
+                               char *buf, size_t buflen)
+{
+       if (os_strcmp(cmd, "show") == 0)
+               return wpas_ctrl_radio_work_show(wpa_s, buf, buflen);
+       if (os_strncmp(cmd, "add ", 4) == 0)
+               return wpas_ctrl_radio_work_add(wpa_s, cmd + 4, buf, buflen);
+       if (os_strncmp(cmd, "done ", 5) == 0)
+               return wpas_ctrl_radio_work_done(wpa_s, cmd + 4);
+       return -1;
+}
+
+
+void wpas_ctrl_radio_work_flush(struct wpa_supplicant *wpa_s)
+{
+       struct wpa_radio_work *work, *tmp;
+
+       if (!wpa_s || !wpa_s->radio)
+               return;
+
+       dl_list_for_each_safe(work, tmp, &wpa_s->radio->work,
+                             struct wpa_radio_work, list) {
+               struct wpa_external_work *ework;
+
+               if (os_strncmp(work->type, "ext:", 4) != 0)
+                       continue;
+               ework = work->ctx;
+               wpa_dbg(wpa_s, MSG_DEBUG,
+                       "Flushing %sexternal radio work %u (%s)",
+                       work->started ? " started" : "", ework->id,
+                       ework->type);
+               if (work->started)
+                       eloop_cancel_timeout(wpas_ctrl_radio_work_timeout,
+                                            work, NULL);
+               os_free(ework);
+               radio_work_done(work);
+       }
+}
+
+
+static void wpas_ctrl_eapol_response(void *eloop_ctx, void *timeout_ctx)
+{
+       struct wpa_supplicant *wpa_s = eloop_ctx;
+       eapol_sm_notify_ctrl_response(wpa_s->eapol);
+}
+
+
+static int set_scan_freqs(struct wpa_supplicant *wpa_s, char *val)
+{
+       int *freqs = NULL;
+
+       freqs = freq_range_to_channel_list(wpa_s, val);
+       if (freqs == NULL)
+               return -1;
+
         os_free(wpa_s->manual_scan_freqs);
         wpa_s->manual_scan_freqs = freqs;
  
@@ -5265,6 +5534,7 @@ static void wpas_ctrl_scan(struct wpa_supplicant *wpa_s, char *params,
  
         wpa_s->manual_scan_passive = 0;
         wpa_s->manual_scan_use_id = 0;
+       wpa_s->manual_scan_only_new = 0;
  
         if (params) {
                 if (os_strncasecmp(params, "TYPE=ONLY", 9) == 0)
@@ -5283,6 +5553,10 @@ static void wpas_ctrl_scan(struct wpa_supplicant *wpa_s, char *params,
                 pos = os_strstr(params, "use_id=");
                 if (pos)
                         wpa_s->manual_scan_use_id = atoi(pos + 7);
+
+               pos = os_strstr(params, "only_new=1");
+               if (pos)
+                       wpa_s->manual_scan_only_new = 1;
         } else {
                 os_free(wpa_s->manual_scan_freqs);
                 wpa_s->manual_scan_freqs = NULL;
@@ -5332,18 +5606,25 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
         int reply_len;
  
         if (os_strncmp(buf, WPA_CTRL_RSP, os_strlen(WPA_CTRL_RSP)) == 0 ||
-           os_strncmp(buf, "SET_NETWORK ", 12) == 0 ||
-           os_strncmp(buf, "WPS_NFC_TAG_READ", 16) == 0 ||
-           os_strncmp(buf, "NFC_REPORT_HANDOVER", 19) == 0 ||
-           os_strncmp(buf, "NFC_RX_HANDOVER_SEL", 19) == 0) {
+           os_strncmp(buf, "SET_NETWORK ", 12) == 0) {
+               if (wpa_debug_show_keys)
+                       wpa_dbg(wpa_s, MSG_DEBUG,
+                               "Control interface command '%s'", buf);
+               else
+                       wpa_dbg(wpa_s, MSG_DEBUG,
+                               "Control interface command '%s [REMOVED]'",
+                               os_strncmp(buf, WPA_CTRL_RSP,
+                                          os_strlen(WPA_CTRL_RSP)) == 0 ?
+                               WPA_CTRL_RSP : "SET_NETWORK");
+       } else if (os_strncmp(buf, "WPS_NFC_TAG_READ", 16) == 0 ||
+                  os_strncmp(buf, "NFC_REPORT_HANDOVER", 19) == 0 ||
+                  os_strncmp(buf, "NFC_RX_HANDOVER_SEL", 19) == 0) {
                 wpa_hexdump_ascii_key(MSG_DEBUG, "RX ctrl_iface",
                                       (const u8 *) buf, os_strlen(buf));
         } else {
                 int level = MSG_DEBUG;
                 if (os_strcmp(buf, "PING") == 0)
                         level = MSG_EXCESSIVE;
-               wpa_hexdump_ascii(level, "RX ctrl_iface",
-                                 (const u8 *) buf, os_strlen(buf));
                 wpa_dbg(wpa_s, level, "Control interface command '%s'", buf);
         }
  
@@ -5637,9 +5918,11 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
                         reply_len = -1;
         } else if (os_strcmp(buf, "STOP_FETCH_ANQP") == 0) {
                 interworking_stop_fetch_anqp(wpa_s);
-       } else if (os_strncmp(buf, "INTERWORKING_SELECT", 19) == 0) {
-               if (interworking_select(wpa_s, os_strstr(buf + 19, "auto") !=
-                                       NULL) < 0)
+       } else if (os_strcmp(buf, "INTERWORKING_SELECT") == 0) {
+               if (ctrl_interworking_select(wpa_s, NULL) < 0)
+                       reply_len = -1;
+       } else if (os_strncmp(buf, "INTERWORKING_SELECT ", 20) == 0) {
+               if (ctrl_interworking_select(wpa_s, buf + 20) < 0)
                         reply_len = -1;
         } else if (os_strncmp(buf, "INTERWORKING_CONNECT ", 21) == 0) {
                 if (ctrl_interworking_connect(wpa_s, buf + 21) < 0)
@@ -5846,6 +6129,9 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
  #endif /* CONFIG_WNM */
         } else if (os_strcmp(buf, "FLUSH") == 0) {
                 wpa_supplicant_ctrl_iface_flush(wpa_s);
+       } else if (os_strncmp(buf, "RADIO_WORK ", 11) == 0) {
+               reply_len = wpas_ctrl_radio_work(wpa_s, buf + 11, reply,
+                                                reply_size);
         } else {
                 os_memcpy(reply, "UNKNOWN COMMAND\n", 16);
                 reply_len = 16;
@@ -6062,6 +6348,8 @@ static char * wpas_global_ctrl_iface_redir_p2p(struct wpa_global *global,
  {
  #ifdef CONFIG_P2P
         static const char * cmd[] = {
+               "LIST_NETWORKS",
+               "SAVE_CONFIG",
                 "P2P_FIND",
                 "P2P_STOP_FIND",
                 "P2P_LISTEN",
@@ -6076,6 +6364,12 @@ static char * wpas_global_ctrl_iface_redir_p2p(struct wpa_global *global,
                 NULL
         };
         static const char * prefix[] = {
+#ifdef ANDROID
+               "DRIVER ",
+#endif /* ANDROID */
+               "GET_NETWORK ",
+               "REMOVE_NETWORK ",
+               "SET ",
                 "P2P_FIND ",
                 "P2P_CONNECT ",
                 "P2P_LISTEN ",