Acasă Explorează Ajutor
Autentificare
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Răsfoiți Sursa

qcacld-3.0: Fix invalid challenge text sent out by SAP

Fix invalid challenge text sent out by SAP. Due to incorrect length
check, challenge text in shared key authentication is not updated
correctly resulting in STA dropping the auth response which eventually
results in connection failure.

Change-Id: I2667ee15fd18e58a48cfb6d79980a0be82ff3b6a
CRs-Fixed: 2055806
Krishna Kumaar Natarajan 8 ani în urmă
părinte
5e0387a8a0
comite
0517c6044b
2 a modificat fișierele cu 37 adăugiri și 22 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 0 1
      core/mac/inc/sir_mac_prot_def.h
  2. 37 21
      core/mac/src/pe/lim/lim_send_management_frames.c

+ 0 - 1
core/mac/inc/sir_mac_prot_def.h
Vizualizați fișierul 

@@ -548,7 +548,6 @@
 
 #define SIR_MAC_AUTH_ALGO_OFFSET             0
 
 #define SIR_MAC_AUTH_XACT_SEQNUM_OFFSET      2
 
 #define SIR_MAC_AUTH_STATUS_CODE_OFFSET      4
 
-#define SIR_MAC_AUTH_CHALLENGE_OFFSET        6
 
 
 /* / Transaction sequence number definitions (used in Authentication frames) */
 
 #define    SIR_MAC_AUTH_FRAME_1        1

+ 37 - 21
core/mac/src/pe/lim/lim_send_management_frames.c
Vizualizați fișierul 

@@ -2087,6 +2087,7 @@ lim_send_auth_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 	uint8_t tx_flag = 0;
 
 	uint8_t sme_sessionid = 0;
 
 	uint16_t ft_ies_length = 0;
 
+	bool challenge_req = false;
 
 
 	if (NULL == session) {
 
 		pe_err("Error: psession Entry is NULL");
 
@@ -2108,8 +2109,8 @@ lim_send_auth_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 		pe_debug("Sending encrypted auth frame to " MAC_ADDRESS_STR,
 
 				MAC_ADDR_ARRAY(peer_addr));
 
 
-		frame_len = sizeof(tSirMacMgmtHdr) + LIM_ENCR_AUTH_BODY_LEN;
 
 		body_len = LIM_ENCR_AUTH_BODY_LEN;
 
+		frame_len = sizeof(tSirMacMgmtHdr) + body_len;
 
 
 		goto alloc_packet;
 
 	}
 
@@ -2131,9 +2132,8 @@ lim_send_auth_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 		 * and status code.
 
 		 */
 
 
-		frame_len = sizeof(tSirMacMgmtHdr) +
 
-			   SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
-		body_len = SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
+		body_len = SIR_MAC_AUTH_FRAME_INFO_LEN;
 
+		frame_len = sizeof(tSirMacMgmtHdr) + body_len;
 
 
 		if (auth_frame->authAlgoNumber == eSIR_FT_AUTH) {
 
 			if (NULL != session->ftPEContext.pFTPreAuthReq &&
 
@@ -2163,9 +2163,8 @@ lim_send_auth_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 			 * transaction number and status code.
 
 			 */
 
 
-			frame_len = sizeof(tSirMacMgmtHdr) +
 
-				   SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
-			body_len = SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
+			body_len = SIR_MAC_AUTH_FRAME_INFO_LEN;
 
+			frame_len = sizeof(tSirMacMgmtHdr) + body_len;
 
 		} else {
 
 			/*
 
 			 * Shared Key algorithm with challenge text
 
@@ -2178,9 +2177,10 @@ lim_send_auth_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 			 * for challenge text.
 
 			 */
 
 
-			frame_len = sizeof(tSirMacMgmtHdr) +
 
-				   sizeof(tSirMacAuthFrame);
 
-			body_len = sizeof(tSirMacAuthFrameBody);
 
+			challenge_req = true;
 
+			body_len = SIR_MAC_AUTH_FRAME_INFO_LEN +
 
+					SIR_MAC_AUTH_CHALLENGE_BODY_LEN;
 
+			frame_len = sizeof(tSirMacMgmtHdr) + body_len;
 
 		}
 
 		break;
 
 
@@ -2194,9 +2194,8 @@ lim_send_auth_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 		 * status code.
 
 		 */
 
 
-		frame_len = sizeof(tSirMacMgmtHdr) +
 
-			   SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
-		body_len = SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
+		body_len = SIR_MAC_AUTH_FRAME_INFO_LEN;
 
+		frame_len = sizeof(tSirMacMgmtHdr) + body_len;
 
 		break;
 
 
 	case SIR_MAC_AUTH_FRAME_4:
 
@@ -2207,9 +2206,8 @@ lim_send_auth_mgmt_frame(tpAniSirGlobal mac_ctx,
 
 		 * status code.
 
 		 */
 
 
-		frame_len = sizeof(tSirMacMgmtHdr) +
 
-			   SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
-		body_len = SIR_MAC_AUTH_CHALLENGE_OFFSET;
 
+		body_len = SIR_MAC_AUTH_FRAME_INFO_LEN;
 
+		frame_len = sizeof(tSirMacMgmtHdr) + body_len;
 
 
 		break;
 
 	default:
 
@@ -2265,11 +2263,29 @@ alloc_packet:
 
 			sir_swap_u16if_needed(auth_frame->authStatusCode);
 
 		body += sizeof(uint16_t);
 
 		body_len -= sizeof(uint16_t);
 
-		if (body_len <= (sizeof(auth_frame->type) +
 
-				sizeof(auth_frame->length) +
 
-				sizeof(auth_frame->challengeText)))
 
-			qdf_mem_copy(body, (uint8_t *) &auth_frame->type,
 
-				     body_len);
 
+
 
+		if (challenge_req) {
 
+			if (body_len < SIR_MAC_AUTH_CHALLENGE_BODY_LEN) {
 
+				qdf_mem_copy(body, (uint8_t *)&auth_frame->type,
 
+					     body_len);
 
+				pe_err("Incomplete challenge info: length: %d, expected: %d",
 
+				       body_len,
 
+				       SIR_MAC_AUTH_CHALLENGE_BODY_LEN);
 
+				body += body_len;
 
+				body_len = 0;
 
+			} else {
 
+				/* copy challenge IE id, len, challenge text */
 
+				*body = auth_frame->type;
 
+				body++;
 
+				*body = auth_frame->length;
 
+				body++;
 
+				qdf_mem_copy(body, auth_frame->challengeText,
 
+					     SIR_MAC_AUTH_CHALLENGE_LENGTH);
 
+				body += SIR_MAC_AUTH_CHALLENGE_LENGTH;
 
+
 
+				body_len -= SIR_MAC_AUTH_CHALLENGE_BODY_LEN;
 
+			}
 
+		}
 
 
 		if ((auth_frame->authAlgoNumber == eSIR_FT_AUTH) &&
 
 		    (auth_frame->authTransactionSeqNumber ==