www.project-moonshot.org Git - mech

tests: Add a STA entry for ap-mgmt-fuzzer

This increases the coverage for AP mode management frame fuzzing by
allowing number of additional Action frame code paths to be executed.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Invalid WMM Action frame

This is a regression test case for a AP mode WMM Action frame parsing
issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

AP WMM: Fix integer underflow in WMM Action frame parser

The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.

This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: WPS HTTP protocol tests

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Add more debug prints to httpread

These can be helpful when debugging HTTP error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Replace the httpread_debug design with standard debug prints

The debug information from httpread can be helpful in figuring out error
cases in general and as such, should be enabled by default. Get rid of
the hardcoded httpread_debug value that would require source code
changes to enable.

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Check maximum HTTP body length earlier in the process

There is no need to continue processing a HTTP body when it becomes
clear that the end result would be over the maximum length.

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Extra validation step for HTTP reader

Verify that ncopy parameter to memcpy is not negative. While this is not
supposed to be needed, it is a good additional protection against
unknown implementation issues.

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Fix HTTP chunked transfer encoding parser

strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.

This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).

Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>

dbus: Stop ongoing scheduled scan when scan is requested

Signed-off-by: Avraham Stern <avraham.stern@intel.com>

Fix sending ANQP request to an unknown BSS while associated

While being associated, if an ANQP request is received for a different
AP that doesn't exist in the BSS list, the ANQP request will be sent on
the frequency of the AP that we are currently associated to.

In such a case, it is possible that the ANQP request would be sent on
a channel different than that of the requested AP, potentially delaying
other requests/activities.

Avoid sending the ANQP request to an AP that is not in the BSS list.

Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>

wpa_cli: Fix memory leak when tracking networks

Fix memory leak introduced in commit
32a097fdd26b9401fbd22054a2a01ba2d71f139a ("wpa_cli: Keep track of
available networks") by tracking networks only when in interactive mode.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

tests: TDLS link status test

Add a test case for checking TDLS link status.

Signed-off-by: Oren Givon <oren.givon@intel.com>

TDLS: Add TDLS_LINK_STATUS command to the control interface

Add the TDLS_LINK_STATUS command to the control interface. This command
shows what is the status of our current TDLS connection with the given
peer. Also, add the TDLS_LINK_STATUS command to wpa_cli.

Signed-off-by: Oren Givon <oren.givon@intel.com>

tests: IBSS RSN regression test for IBSS_RSN prior IBSS setup

Signed-off-by: Jouni Malinen <j@w1.fi>

IBSS: Check ibss_rsn init before starting new IBSS authentication

Sanity check added to avoid segmentation fault which occurs, when
issuing ibss_rsn ctrl iface cmd and IBSS was not initialized previously
via IBSS network selection.

Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>

libtommath: Fix check mp_init_multi() result

If the mp_init_multi() call had failed due to memory allocation failure,
mp_div() would have returned 1 instead of MP_MEM (-2). It looks like all
callers are checking the return value against MP_OKAY instead of <1
(etc.), so this does not seem to result in difference in behavior.
Anyway, it's best to fix the mp_div() return value for the MP_MEM error
case to avoid unexpected behavior.

Signed-off-by: Maks Naumov <maksqwe1@ukr.net>

Check Public Action length explicitly before reading Action Code

In theory, the previous version could have resulted in reading one byte
beyond the end of the management frame RX buffer if the local driver
were to deliver a truncated Public Action frame for processing. In
practice, this did not seem to happen with mac80211-based drivers and
even if it were, the extra octet would be an uninitialized value in a
buffer rather than read beyond the end of the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-SIM/AKA: Explicitly check for header to include Reserved field

This was previously checked as part of the eap_sim_parse_attr()
processing, but it is easier to review the code if there is an
additional explicit check for confirming that the Reserved field is
present since the pos variable is advanced beyond it.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Fix EAP-SIM/AKA protocol tests to use full header

Couple of the EAP-SIM/AKA protocol test cases were leaving out the
Reserved field. This was not intentional since these test cases were
targeting a specific Subtype processing instead of verifying truncated
header case (which is covered separately). Add the Reserved field to
allow the implementation to add an explicit, earlier check for this.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-SAKE: Make attribute parser more readable

Clean up eap_sake_parse_add_attr() design by passing in pointer to the
payload of the attribute instead of parsing these separately for each
attribute within the function.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-SAKE: Pass EAP identifier instead of full request

This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>

TLS: Fix debug dump of X.509 certificate

The length of the extra data following the encoded certificate was
printed out in debug hexdump.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length validation

The req_plen argument to eap_pax_process_std_1() and
eap_pax_process_std_3() could be smaller than sizeof(struct eap_pax_hdr)
since the main processing function was only verifying that there is
enough room for the ICV and then removed ICV length from the remaining
payload length.

In theory, this could have resulted in the size_t left parameter being
set to a negative value that would be interpreted as a huge positive
integer. That could then result in a small buffer read overflow and
process termination if MSGDUMP debug verbosity was in use.

In practice, it does not seem to be feasible to construct a short
message that would be able to pass the ICV validation (calculated using
HMAC-SHA1-128) even for the case where an empty password is used.
Anyway, the implementation should really check the length explicitly
instead of depending on implicit check through ICV validation.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-GPSK: Pass EAP identifier instead of full request

This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-TLS/PEAP/TTLS/FAST: Move more towards using struct wpabuf

The EAP-TLS-based helper functions can easily use struct wpabuf in more
places, so continue cleanup in that direction by replacing separate
pointer and length arguments with a single struct wpabuf argument.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-FAST: Do not use type cast to remove const specification

All the uses here are read only, so there is no need to type case the
const specification away.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-FAST: Pass EAP identifier instead of full request

This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-EKE: Do not pass full request to eap_eke_build_fail()

This function is only using the Identifier field from the EAP request
header, so there is no need to pass it a pointer to the full message.
This makes it a bit easier to analyze the area that gets access to
unverified message payload.

Signed-off-by: Jouni Malinen <j@w1.fi>

Fix a typo in function documentation

Signed-off-by: Jouni Malinen <j@w1.fi>

D-Bus Fix network_is_persistent_group() for P2P operations

Commit c2762e410fa319f75a174aeb12343beddf99fce4 ('P2P: Update D-Bus
network object semantics during group formation') added this helper
function to determine whether a network block is used for storing a
persistent group information. However, it implemented this in a way that
matches both persistent group storage and an operating persist group
instance. This does not seem to match the expected behavior for the
D-Bus objects, so fix this to match only the persistent group storage
case to avoid registering/unregistered incorrect D-Bus objects for
groups.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Fix wpas_notify_network_removed()

Commit bb3df9a569e4a33445c89ebc50019ba46b4f6704 ('notify: Do not raise
any signal from a P2P management interface') was supposed to only change
D-Bus behavior, but it ended up disabling non-D-Bus functionality as
well for some sequences where the P2P Device interface is used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Extend D-Bus test cases to cover separate P2P Device operations

Number of the P2P test cases through D-Bus commands were not prepared
for there being a separate group interface when the P2P Device concept
is used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

dbus: Add a debug print on fill_dict_with_properties() getter failures

This makes it easier to debug issues with D-Bus property getter
operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

D-Bus: Fix operations when P2P management interface is used

Commit 21efc940f6e7f07b84b7e5c5867f3d81594c4fb0 ('wpa_supplicant: Do not
register a P2P management interface on DBus') hides the special P2P
management interface from D-Bus. However, it did not take into account
the possibility of wpa_s->dbus_path and wpa_s->dbus_new_path being NULL
in such cases on number of code paths within the D-Bus handlers. This
could result in invalid arguments (NULL path) being provided to D-Bus
functions (mainly, dbus_message_iter_append_basic) and NULL pointer
dereference when iterating over all interfaces. Either of these could
make wpa_supplicant process terminate.

Fix this by explicitly checking that the interface-specific D-Bus path
has been registered before using it anywhere with D-Bus handlers. In
addition, find the correct wpa_s instance to fix P2P operations through
D-Bus when the P2P Device interface is used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

RADIUS: Fix a copy-paste error in variable name

MS-MPPE-Recv-Key generation in radius_msg_add_mppe_keys() used incorrect
function argument (send_key_len; should be recv_key_len) when allocating
a temporary buffer. Fix this by using the correct argument.

The only caller of the function uses the same length for both
send_key_len and recv_key_len, so this copy-paste error did not result
in any difference in the behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Add support for 60 GHz band

Handling of WPS RF band for 60 GHz was missing. Add it in all relevant
places and also map "AES" as the cipher to GCMP instead of CCMP when
operating on the 60 GHz band.

Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>

WPS: Fix shorter authentication timeout during no-SelReg iteration

Commit 5add4101626b23c11f073630770896465d9cc8f3 ('WPS: Use shorter
authentication timeout during no-SelReg iteration') added a new
condition on reducing the authentication timeout for the WPS AP
iteration process. However, due it ended up copy-pasting an incorrect
condition for this. This was supposed to apply for PIN-based config
method advertisement, not PBC.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

nl80211: Verify that cipher suite conversion succeeds

It was possible for the WPA_ALG_PMK algorithm in set_key() to result in
trying to configure a key with cipher suite 0. While this results in a
failure from cfg80211 or driver, this is not really desirable operation,
so add a check for cipher suite conversion result before issuing the
nl80211 command.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Try to set PMK only with key mgmt offload support in the driver

Previously, it was possible for the set_key() handler to be used with
WPA_ALG_PMK even if the driver did not indicate support for key
management offload. While this is not really supposed to result in any
difference, it makes the debug logs somewhat confusing. Avoid that by
using driver capability flag for key management offload as an additional
condition for setting the PMK.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: ProxyARP with na_mcast_to_ucast=1

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Make IPv6 NA multicast-to-unicast conversion configurable

This can be used with Proxy ARP to allow multicast NAs to be forwarded
to associated STAs using link layer unicast delivery. This used to be
hardcoded to be enabled, but it is now disabled by default and can be
enabled with na_mcast_to_ucast=1. This functionality may not be desired
in all networks and most cases work without it, so the new
default-to-disabled is more appropriate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Interworking: Fix network selection warning without SIM/USIM support

interworking_credentials_available_3gpp() would have left excluded2
uninitialized without INTERWORKING_3GPP in the build. This could result
in a static analyzer warning within
interworking_credentials_available_helper() about use of uninitialized
variable. Get rid of that warning by explicitly initializing excluded2
even though this does not really result in any difference in behavior
since the excluded2 value would be used only if the non-NULL is returned
and that could not have been the case here without INTERWORKING_3GPP.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Change vlan_id back and forth

Enhance test ap_vlan_wpa2_radius_id_change to change the VLAN-ID
back as a last step. This ensures that the wpa_group for VLAN-ID 1
did not enter FATAL_FAILURE state during the test.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

Remove WPA per-VLAN groups when no more stations remain

Previously, struct wpa_group was created when the first station enters
the group and the struct wpa_group was not freed when all station left
the group. This causes a problem because wpa_group will enter
FATAL_FAILURE when a wpa_group is running while the AP_VLAN interface
has already been removed.

Fix this by adding a reference counter to struct wpa_group and free a
group if it is unused.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

tests: Check vlan_id information in STA output

In addition, this adds some delay between the authentication and data
connectivity test through the newly added VLAN and by doing so, makes
ap_vlan_wpa2_radius_id_change a bit more robust. It was possible for the
EAPOL-Key message 4/4 not having yet been processed by hostapd at the
time the data test started.

Signed-off-by: Jouni Malinen <j@w1.fi>

Make VLAN ID available in STA info over control interface

If hostapd has bound a STA into a specific VLAN, the new vlan_id
parameter in the control interface STA command can now be used to check
which VLAN ID is in use.

Signed-off-by: Jouni Malinen <j@w1.fi>

P2P: Allow wpa_supplicant to start if social channels are not supported

It was possible for an nl80211-based driver to be determined to support
P2P even when the radio supports only the 5 GHz band. This resulted in
P2P initialization failing due to not being able to pick a social
channel and wpa_supplicant not starting. Fix this by not enabling P2P,
but still allowing wpa_supplicant initialization to complete.

Signed-off-by: Jouni Malinen <j@w1.fi>

vlan: Move CONFIG_FULL_DYNAMIC_VLAN includes to proper places

All the system header files are supposed to be included before any other
internal header file apart from utils/includes.h.

Signed-off-by: Jouni Malinen <j@w1.fi>

Do not use C++ reserved words as variable names

Signed-off-by: Jouni Malinen <j@w1.fi>

wpa_gui: Themed icon loader

Signal strength meter uses non-standard icons (not included in the
freedesktop icon specification), which might not be available in all
icon sets on the market. What's more, according to the latest Ubuntu
practices, in the status-like places one should use symbolic icons.
Unfortunately not all icon sets provide them.

In order to overcome this inconsistency, we are going to try to load
more than one icon from the current theme in the fallback-like
fashion.

Signed-off-by: Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>

Fix wpa_priv (CONFIG_PRIVSEP=y) build

Signed-off-by: Jouni Malinen <j@w1.fi>

Declare all read only data structures as const

By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>

OpenSSL: Try to ensure we don't throw away the PIN unnecessarily

Now on an engine error we decode the error value and determine if the
issue is due to a true PIN error or not. If it is due to incorrrect PIN,
delete the PIN as usual, but if it isn't let the PIN be.

Signed-off-by: Mike Gerow <gerow@google.com>

mesh: Retransmit the last Commit Message in the Committed state

Previously, mesh state machine transmits updated Commit Message when
receiving a Confirm Message in Committed state. According to the
standard, it should (re)send the latest Commit Message previously sent.

IEEE Std 802.11-2012, 11.3.8.6.4 Protocol instance behavior - Committed
state:
"Upon receipt of a Con event, ... If Sync is not greater than
dot11RSNASAESync, the protocol instance shall increment Sync, transmit
the last Commit Message sent to the peer, and set the t0
(retransmission) timer."

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

tests: Verify dynamic_vlan=required is honored with macaddr_acl=2

dynamic_vlan=required also applies to macaddr_acl=2 (RADIUS), especially
when used with WPA-PSK.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

vlan: Verify RADIUS returned VLAN-ID and dynamic_vlan=required

This extends dynamic_vlan=required checks to apply for WPA-PSK with
macaddr_acl=2 (RADIUS) case.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

tests: WPS AP iteration on no Selected Registrar and error case

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WPS: Use shorter authentication timeout during no-SelReg iteration

When iterating through WPS APs that do not advertise Selected Registrar
TRUE, limit the authentication timeout to 10 seconds instead of the full
70 second value used with IEEE 802.1X/EAP/WPS in general. This helps
speed up AP iteration for cases where a selected AP misbehaves and does
not reply to EAP exchanges. This should not really be needed, but there
seems to be deployed APs that do not implement WPS correctly and with
such APs in the radio range, this extra timeout can speed up the
iteration to allow the correct AP to be found before the WPS operation
times out.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WPS: Enforce five second minimum time before AP iteration

Previously, wpa_supplicant was using number of scan iterations
(WPS_PIN_SCAN_IGNORE_SEL_REG = 3) to give some time for finding a WPS AP
with Selected Registrar TRUE before starting to iterate through all WPS
APs. While this works fine in most cases, some drivers may return the
initial three scan results so quickly that the total amount of time is
only couple of seconds in case none of the APs are initially advertising
Selected Registrar TRUE. To give some more time for APs (WPS Registrars)
to become ready, add an additional constraint on the iteration based on
time (WPS_PIN_TIME_IGNORE_SEL_REG = 5 seconds).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Increase wait timeout in autogo_m2d

The time before trying to associate with an AP that does not advertise
Selected Registrar TRUE is going to be incremented, so increase the
autogo_m2d timeout to avoid reporting incorrect errors due to missing
M2D events.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Remove trailing whitespace from Makefile

Signed-off-by: Jouni Malinen <j@w1.fi>

P2P: Do not create a P2P Device interface if P2P is disabled

Do not add the dedicated P2P Device interface in case P2P is disabled in
the configuration file or globally.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

Document p2p_disabled option in wpa_supplicant.conf

I needed this option to disable P2P on a buggy system.
Document this so someone else finds it quicker next time.

Signed-off-by: Ben Greear <greearb@candelatech.com>

tests: D-Bus AddNetwork for AP mode

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: wpa_supplicant INTERFACE_ADD/REMOVE with large number of vifs

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

nl80211: Extend unique MAC address assignment for station iftype

Previously, only P2P and mesh use cases enforced unique MAC address for
a dynamically added virtual interface. Extend this to cover normal
station mode interfaces since those can now be added with INTERFACE_ADD.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WPS: Explicitly reject Public Key attribute with unexpected length

There is no need to try to derive DH shared key with a peer that tries
to use too short or too long DH Public Key. Previously, such cases ended
up implicitly getting rejected by the DH operations failing to produce
matching results. That is unnecessarily, so simply reject the message
completely if it does not have a Public Key with valid length. Accept
couple of octets shorter value to be used to avoid interoperability
issues if there are implementations that do not use zero-padding
properly.

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Truncate variable length string attributes to maximum length

This enforces variable length strings Manufacturer, Model Name, Model
Number, and Serial Number to be within the maximum length defined in the
WSC specification. While none of the existing users for these within
hostapd/wpa_supplicant had problems with longer strings, it is good to
ensure the strings are not longer to avoid potential issues at higher
layer components.

Signed-off-by: Jouni Malinen <j@w1.fi>

Simplify VHT Operation element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>

Simplify HT Operation element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>

Simplify VHT Capabilities element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>

Simplify HT Capabilities element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>

Simplify Timeout Interval element parsing

Remove the length field from struct ieee802_11_elems since the only
allowed element length is five and that is checked by the parser.

Signed-off-by: Jouni Malinen <j@w1.fi>

Simplify ERP element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.

Signed-off-by: Jouni Malinen <j@w1.fi>

Simplify DSSS Parameter Set element parsing

Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.

Signed-off-by: Jouni Malinen <j@w1.fi>

FT: Check FT, MD, and Timeout Interval length in the parser

All the existing users of these elements were already validating the
element length. However, it is clearer to validate this already at the
parser for extra layer of protection for any future changes.

Signed-off-by: Jouni Malinen <j@w1.fi>

Fix a memory leak on mesh_attr_text() error path

Should there not be enough room in the output buffer, the
bss_basic_rate_set line would not be printed. This error case was
handled otherwise, but the temporary memory allocation for building the
information was not freed.

Signed-off-by: Jouni Malinen <j@w1.fi>

wlantest: Verify FTIE length before checking MIC

tdls_verify_mic() and tdls_verify_mic_teardown() could have tried to
read the 16-octet FTIE MIC when processing a TDLS frame even if the
received FTIE is truncated. At least in theory, this could result in
reading couple of octets beyond the frame buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>

FT: Fix WMM TSPEC validation in driver-based AP MLME case

Commit 88b32a99d30894b2d6bb391371c442fc117edbab ('FT: Add FT AP support
for drivers that manage MLME internally') added an alternative way of
processing the WMM TSPEC from RIC. However, that change did not seem to
include the same checks for WMM TSPEC element length that were used in
the original implementation for MLME-in-hostapd case. Fix this by
sharing the older implementation of copying the WMM TSPEC from RIC for
both cases.

It looks like the destination buffer for the response is sufficiently
long for the fixed length copy, but it may have been possible to trigger
a read beyond the end of the FTIE by about 50 bytes. Though, that seems
to be within the buffer received for RX buffer in the case that uses
this driver-based AP MLME design for FT.

Signed-off-by: Jouni Malinen <j@w1.fi>

wlantest: Fix Beacon and Probe Response frame parser

These functions did not verify that the received frame is long enough to
contain the beginning of the variable length IE area. A truncated frame
could have caused a segmentation fault due to reading beyond the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add ap-mgmt-fuzzer

This program can be used to run fuzzing tests for areas related to AP
management frame parsing and processing.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add wnm-fuzzer

This program can be used to run fuzzing tests for areas related to WNM
frame parsing and processing on the client side.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add eapol-fuzzer

This program can be used to run fuzzing tests for areas related to EAPOL
frame parsing and processing on the supplicant side.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Add p2p-fuzzer

This program can be used to run fuzzing tests for areas related to P2P
message parsing and processing. p2p-fuzzer allows data files to be used
to inject Probe Response and Action frames for processing by the P2P
module.

Signed-off-by: Jouni Malinen <j@w1.fi>

P2P: Use WPS_SEC_DEV_TYPE_MAX_LEN in P2P array definition

This makes it more obvious that the wps_parse_msg() bounds checking is
used to verify that there is sufficient space in the P2P buffer for the
secondary device types.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Add a module test for wpa_ssid_txt() with too long SSID

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com

Use common is_ctrl_char() helper function

This modifies couple of code segments that replaced control characters
in strings with '_' to use a common helper function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: P2P protocol tests for too long variable length fields

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WPS: Ignore too long SSID attribute

While it looks like all the users of this parsed attribute were able to
handle longer SSID values, there is no valid use case for these and to
avoid any potential future issues, enforce maximum length (32 bytes) on
the SSID during parsing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Replace SSID_LEN with SSID_MAX_LEN

This makes source code more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Replace MAX_SSID_LEN with SSID_MAX_LEN

This makes source code more consistent. The use within Android driver
interface is left as-is to avoid changes in the old PNO interface
definition.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Replace HOSTAPD_MAX_SSID_LEN with SSID_MAX_LEN

This makes source code more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Replace WPA_MAX_SSID_LEN with SSID_MAX_LEN

This makes the source code more consistent.

Signed-off-by: Jouni Malinen <j@w1.fi>

Use SSID_MAX_LEN define instead of value 32 when comparing SSID length

This makes the implementation easier to understand.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WPS: Ignore too long Device Name attribute

While it looks like all the users of this parsed attribute were able to
handle longer Device Name values, there is no valid use case for these
and to avoid any potential issues in upper layer components, enforce
maximum length (32 bytes) on the Device Name during parsing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Add WPS_DEV_NAME_MAX_LEN define and use it when comparing length

This make code easier to understand.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

P2PS: Check for maximum SSID length in Persistent Group Info

While none of the current users of msg.persistent_ssid{,_len} would have
issues with too long SSID value, it is safer to enforce bounds checking
on the SSID while parsing the attribute to avoid any potential issues in
the future.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Ignore too long SSID element value in parser

The SSID element is defined to have a valid length range of 0-32. While
this length was supposed to validated by the users of the element
parser, there are not really any valid cases where the maximum length of
32 octet SSID would be exceeded and as such, the parser itself can
enforce the limit as an additional protection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

P2P: Validate SSID element length before copying it (CVE-2015-1863)

This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>