Commit graph

5943 commits

Author SHA1 Message Date
Matthew Wang
acd9332c3b Fix success check for triggering 6 GHz scan
wpas_trigger_6ghz_scan() returns 1 on success and 0 on failure to
trigger the scan. Checking the return value to be less than zero is not
correct. This was supposed to check for success, i.e., greater than
zero.

Fixes: 42add3c27b ("Scan 6 GHz channels after change to 6 GHz-allowed regdom")
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2024-08-03 12:17:10 +03:00
Jintao Lin
d40788a5cb P2P: Use specified frequency for group client in P2P_GROUP_ADD command
In P2P_GROUP_ADD command and GroupAdd dbus method, frequency is passed
in as a parameter when restarting a persistent group. This is the group
operating frequency determined out of band. Use this pre-determined
frequency in P2P client as well to expedite the P2P scan.

Signed-off-by: Jintao Lin <jintaolin@chromium.org>
2024-08-03 11:49:24 +03:00
Ruth Mekonnen
9c0a6d64d0 dbus: Emit ScanInProgress6GHz property
Expose whether a 6 GHz scan is in progress with the ScanInProgress6GHz
property and flush properties as soon as the property is updated, so
that platforms can choose not to disconnect while a 6 GHz scan is in
progress. Once the 6 GHz scan has completed and scan results have been
received, the ScanInProgress6GHz property is reset to false.

Signed-off-by: Ruth Mekonnen <rmekonnen@chromium.org>
2024-08-03 11:43:57 +03:00
Ruth Mekonnen
b53d7a6a86 Add non-PSC channels to 6 GHz scan request
When non_coloc_6ghz = false, the STA is expected to scan for colocated
APs. However, if the colocated AP is on a non-PSC channel, it will not
be detected during the 6 GHz-only scan because the frequency list is
limited to PSC channels. Even when the NL80211_SCAN_FLAG_COLOCATED_6GHZ
is set, the cfg80211 only scans a subset of the channels in the original
6 GHz scan request. Therefore, this patch adds non-PSC channels to the
original 6 GHz scan request.

Signed-off-by: Ruth Mekonnen <rmekonnen@chromium.org>
2024-08-03 11:36:35 +03:00
Benjamin Berg
9e50c12b31 WNM: Scan for BSSID if there are forbidden neighbors
The test to scan for a single BSSID assumed that there is only a single
neighbor in the candidate list. Also do this optimization if there are
multiple neighbors but only one of them is valid.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 13:49:32 +03:00
Benjamin Berg
54b25b7c1d WNM: Always parse candidate list
The preferred candidate list included bit just makes parsing the list
mandatory. The AP may still include a candidate list which we should use
to be able to optimize scanning. As such, always parse out the list but
still verify that if the list is not empty if the bit is set.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 13:49:19 +03:00
Benjamin Berg
d9d8627873 WNM: Consolidate the scanning paths for BTM requests
There was an ancient code path to trigger a scan that was apparently
forgotten when the code was extended over time. It does not make any
sense to trigger a scan twice, so remove the earlier scan.

The earlier scan call was avoiding to trigger a new scan if a fixed
BSSID is configured. This seems like a reasonable restriction to do, so
add this check before starting a scan.

Consolidate everything so that scanning happens at the end of the
functions unless we bail out before. Add a "reset" label for all other
cases to ensure that we don't leave things in the a bad state.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 13:40:37 +03:00
Benjamin Berg
3b6abe3580 WNM: Reject requests with an invalid dialog token
The dialog token must be non-zero. We are using this fact internally to
track the state in some cases, so ensure that the assumption is valid.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 13:22:34 +03:00
Avraham Stern
f4a9cb96d6 MBO: Always accept BTM request with disassociation imminent bit set
According to Multiband Operation specification (r17, section 3.5.2),
a BSS Transition Management Request with the disassociation imminent
bit set should always be accepted.

This is enforced in case the request did not include a candidate list.
However, in case a candidate list was included but none of the APs in
the candidate list was found in the scan results, the request is
rejected.

Fix that by always accepting a request with the disassociation imminent
bit set even if no roaming candidate was found.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 13:20:53 +03:00
Benjamin Berg
adc6ca34a0 WNM: Move neighbor report test into wnm_is_bss_excluded()
Having it in wnm_is_bss_excluded() is more generic as it works for other
locations (e.g., MLD link selection). So move the test and add a check
for the abridged bit while at it. Note that without the abridged bit
check another check would be needed (e.g., checking wnm_dialog_token) to
ensure that there isn't a rejection unless a BTM is in progress.

compare_scan_neighbor_results() calls wpa_scan_res_match() which calls
wnm_is_bss_excluded() so the previous behavior is maintained for WNM
scan result processing.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 13:06:59 +03:00
Benjamin Berg
a832312806 WNM: Swap logic in wnm_is_bss_excluded() to allow more checks
Following commits will move more checks into wnm_is_bss_excluded().
Prepare for that by changing the logical flow so that further checks can
be inserted.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:58:27 +03:00
Benjamin Berg
582b5eff40 WNM: Remove unused age parameter for neighbor comparison
compare_scan_neighbor_results() was taking an age parameter to check
whether the BSS has been seen recently. This was used historically in a
codepath when no new scan was done. However, the logic was changed in
commit 20ed289a78 ("WNM: Clean up old scan data processing") and the
parameter is not used at all anymore as it is replaced by a different
logic. Remove it.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:57:34 +03:00
Benjamin Berg
4bbe004e06 WNM: Split candidate list parsing into a separate function
ieee802_11_rx_bss_trans_mgmt_req() is already dealing with a lot of
things including the decisions on how to act on the frame. Split out
candidate list parsing to make it easier to work with the function.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:53:07 +03:00
Benjamin Berg
b791d1f342 WNM: Use os_relatime_add_ms() helper
Just simplify the code a little bit by using the helper instead of doing
the math inline.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:48:42 +03:00
Jouni Malinen
da1a86afc6 WNM: Rename wnm_dissoc_timer
Use "disassoc" instead of "dissoc" when referring to disassociation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-08-02 12:48:25 +03:00
Benjamin Berg
ebd18f1ade WNM: Rename wnm_dissoc_addr
Use "disassoc" instead of "dissoc" when referring to disassociation.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:48:25 +03:00
Benjamin Berg
93eb3b83c6 WNM: Store whether disassociation address is an MLD MAC address
Commit 17a2aa822c ("WNM: Follow BTM procedure if the last link is
dropped") added code to store either the MLD MAC address or BSSID when
being disassociated. However, it did not save which one was stored
making the tests later on awkward.

Store whether it was an MLD MAC address or not and then do the test
accordingly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:48:25 +03:00
Benjamin Berg
63ac001ed2 WNM: Only trigger selection logic for own scans
Commit e508c070c4 ("WNM: Keep BTM information until connection
completes") changed the logic so that much of the information about a
transition management request will be kept around for longer. However,
doing this also implies that the scan logic can be called multiple times
with wnm_dialog_token being set.

Add a guard to bail out if the scan was not done for a BTM request. But,
add it after the transition candidate validity check so that we reset
the state when a new scan invalidated it.

However, invalidation does not make sense for any scan, primarily an ML
probe request during a connection attempt should not trigger
invalidation. So move the call to wnm_scan_process() further down in the
list to avoid issues.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:48:18 +03:00
Veerendranath Jakkam
bc43e75b2b MLD STA: Fix destination address for EAPOL frames
For MLO association, specify the destination address as the AP MLD MAC
address for sending EAPOL frames. Previously, this was set to the BSSID
in all cases (and hoped for the driver to map it to MLD MAC address when
needed).

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-08-01 20:15:07 +03:00
David Bauer
69d18ab9f2 bgscan: Add OWE transition mode SSID to network scan
Add transition mode SSIDs to the SSID scan-list for bgscan. This is
currently missing and bgscan fails to scan for SSIDs on the OWE
transition network if one is currently used.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-08-01 18:16:34 +03:00
David Bauer
56e8f8bf34 OWE: Enable roaming between OWE APs
This allows to use the ROAM control interface command to force roaming
on a transition network. Previously, this was not possible, as the open
SSID is stored for the connection profile. Add a new function to also
return OWE transition networks if the profile SSID is set as the
transition-ssid for the OWE RSN network.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-08-01 18:06:54 +03:00
David Bauer
ddfed3f084 OWE: Reduce code duplication in OWE element parsing
Reduce the code-duplication for methods handling the OWE transition
mode.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-08-01 18:01:07 +03:00
Jouni Malinen
be6e4279fa RSNO: Verify all RSNE/RSNXE variants in multi-link cases
Use the RSN Override Link KDE to include the override variants of the
RSNE/RSNXE for each link so that all variants are verifies when
processing the protected EAPOL-Key message 3/4.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 19:56:00 +03:00
Jouni Malinen
521374b978 RSNO: Include all RSNE/RSNXE variants in EAPOL-Key message 3/4
This allows all variants to be verified based on a protected frame to
achieve robust downgrade protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 18:52:15 +03:00
Jouni Malinen
62ca121f96 RSNO: Use the RSN Selection element to indicate which variant was used
This replaces the use of the RSNE Override and RSNE Override 2 elements
with empty payload to indicate which RSNE variant was used.

In addition, this adds stricter validation of the RSNE in
(Re)Association Request frame to allow only the pairwise cipher suites
and AKMs listed in the indicated RSNE variant to be used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Hu Wang
92374d59d4 Enhance select_network() to trigger new scans in some cases
wpa_supplicant select_network() relies on fast_associate to reuse old
scan results. However, this approach does not apply in some cases in
Android:

1 - If the selected network is hidden, and the SSID is in Chinese,
Android switches between fallback SSIDs, necessitating a new scan for
switching between different hidden SSIDs.

2 - Similarly, if the selected SSID is OWE (Opportunistic Wireless
Encryption), and the OWE SSID bands have been changed, select_network()
requires a fresh scan to discover hidden OWE SSIDs.

To address these, enhance select_network() to trigger new scans instead
of relying on fast_associate. This improves network selection behavior
in Android.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-22 19:01:18 +00:00
Veerendranath Jakkam
ff99012d84 RSNO: Use correct MLO capability while fetching RSNE/RSNXE
Use current connection MLO capability to fetch the appropriate
RSNE/RSNXE variant while processing association event.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-22 18:50:24 +00:00
Veerendranath Jakkam
526ea193c8 Fallback to RSNXE when AP is not using valid RSN Overrding
wpa_supplicant was ignoring RSNXE also if the AP is not using valid
RSN overriding combination when the STA supports RSN overriding. Fix
this fallback to the RSNXE when AP is not using valid RSN overriding.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-22 18:48:20 +00:00
Jouni Malinen
765c48d5ad RSNE/RSNXE overriding for STA
Add support for RSNE/RSNXE Override elements. Use these elements to
determine AP's extended RSN parameters.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
d0b55eb360 Make driver capabilities for AKM suites available within wpa_supplicant
In addition, add some of the previously missed AKM suites from the
default capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
5488e120d3 Use helper functions to access RSNE/RSNXE from BSS entries
This is a step towards allowing the contents of RSNE/RSNXE to be
overridden.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
d945ddd368 Preparations for v2.11 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.10 and v2.11. Update the copyright years for the main
programs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-20 21:04:37 +03:00
Davide Caratti
aa2dfae5eb dbus: Fix memory leak with Bonjour params for a P2P UPnP service
Using D-Bus, it is possible to add a valid UPnP service where 'query'
and 'response' are specified. In this case, memory for 'query' and
'response' is allocated but not used nor freed. Valgrind complains as
follows:

 42 bytes in 1 blocks are definitely lost in loss record 32 of 75
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F41A: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2762)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

 49 bytes in 1 blocks are definitely lost in loss record 37 of 75
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F348: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2755)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix this ensuring that query and resp are freed both in the error and
non-error path of wpas_dbus_handler_p2p_add_service(). Also, add a test
in test_dbus.py to verify the correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-20 20:28:40 +03:00
David Ruth
70e5bad563 dbus: Fix SignalChange property
SignalChange should be defined as a property of an interface.
Previously, it was incorrectly defined as a property of P2P peers.

Fixes: 7a7ce95746 ("dbus: Emit more information over D-Bus")
Signed-off-by: David Ruth <druth@chromium.org>
2024-07-20 20:20:38 +03:00
Michael-CY Lee
e7172e26d3 MLD STA: Find partner links by BSSID and SSID
Non-AP MLD finds AP MLD's partner links by BSSID from the scan results.
However, if the scan results contain BSSs with the same BSSID but
different BSS information, the non-AP MLD might assign a wrong BSS to
one of the AP MLD's partner links.

Avoids the problem by using both BSSID and SSID to find the AP MLD's
partner links.

Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2024-07-13 18:09:32 +03:00
Chien Wong
44f20382cc NAN: Fix a typo in USD doc
The 'req_instance' parameter in transmit command should be
'req_instance_id'.

Fixes: e3f9ab3c3a ("NAN: USD in wpa_supplicant")
Signed-off-by: Chien Wong <m@xv97.com>
2024-07-12 16:34:56 +03:00
Jouni Malinen
1023654532 Make Beacon frame checks less frequent for SSID verification
Instead of checking the latest scan results every second indefinitely,
add more latency between the checks in case the driver does not update
the time stamp value (i.e., does not report new Beacon frames during an
association).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-12 13:13:09 +03:00
Andrei Otcheretianski
fcf799c0dd wpa_supplicant: Do not select a rejected SAE group
Make sure that sme_set_sae_group() doesn't select a group that was
previously rejected during this instance of SAE authentication.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-07-12 12:58:38 +03:00
Andrei Otcheretianski
094e188f84 wpa_supplicant: Always clear SAE rejected groups on roaming to another BSS
SAE rejected groups were not cleared in case of re-association to the
same ESS. Since new BSS can support different groups, keeping rejected
groups doesn't make sense and may result in AP rejecting the
authentication. Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-07-12 12:54:20 +03:00
Harshitha Prem
99e82880e8 Fix mesh 6 GHz incorrect channel bandwidth
When the wiphy supports multiple bands and reports different capability
values between 5 GHz and 6 GHz channels, the 6 GHz mesh interface is
unable to correctly map the channel width in function
ibss_mesh_setup_freq(). This issue arises because the modes of 5 GHz and
6 GHz interfaces are the same (HOSTAPD_MODE_IEEE80211A) in supported
modes.

To address this, use function get_mode() to determine the appropriate
mode during mesh setup. This will iterates through all the hw_features
sets and ensures compatibility with the band of the channel supported in
hw_features set.

Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
2024-07-12 12:17:04 +03:00
Jouni Malinen
5452a4a302 SSID verification based on beacon protection
If SSID was not verified during the initial setup of an association, but
beacon protection was negotiated, try verify the SSID based on Beacon
frames that have been received after the first BIGTK has been
configured.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 23:55:05 +03:00
Jouni Malinen
89b164138c BSS: Add wpa_bss_get_ie_beacon()
This is a variant of wpa_bss_get_ie() to allow IEs to be checked from
only Beacon frames similarly to how wpa_bss_get_vendor_ie_beacon()
behaves for vendor specific elements.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 23:50:55 +03:00
Jouni Malinen
7436b5b012 Indicate if BIGTK has been set in STATUS output
The new "bigtk_set=1" entry in the control interface STATUS command
output indicates that a BIGTK has been successfully configured. This
shows that beacon protection has been enabled for the current
association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 23:14:02 +03:00
Jouni Malinen
c6f394b888 Indicate if SSID has been verified in STATUS output
Add a new "ssid_verified=1" entry into the control interface STATUS
command output if the SSID has been verified for the current
association. This verification may have been done implicitly (e.g., with
SAE H2E and FT protocol binding in the SSID into key derivation or with
FILS protecting the SSID element in the (Re)Association Request frame)
or explicitly with the recently added SSID protection mechanism during
the 4-way handshake.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 22:58:12 +03:00
Ilan Peer
e5f76b9153 dbus: Fix error path in scan request handling
In case the scan request handling fails, exit cleanly, i.e., without
setting internal state such as the 'scan_res_handler' pointer.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-07-11 19:56:08 +03:00
Benjamin Berg
7bcede06e0 MLD: Ensure link_bssid array has space for sentinel
The consumer of the link_bssid array assumes it is a NULL terminated
array of BSSIDs. As such, add one to the maximum number of links to
ensure that there is always a sentinel value.

Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 18:53:59 +03:00
Benjamin Berg
cf3883f3d1 MLD: Ensure link BSSIDs remain on stack for ignore
When ignoring a link BSSID the multi-link information was parsed out
into a struct ml_sta_link_info on the stack. However, this stack
variable went out of scope before it was used by passing the link_bssids
pointer array to another function.

Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 18:53:59 +03:00
Jouni Malinen
9f0429c9e1 dbus: Make sure ServiceDiscoveryRequest/Result does not override pointers
Explicitly free the previously allocated copy if ServiceDiscoveryRequest
or Service DiscvoveryResponse parsing loop finds multiple instances of
the same dict entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-11 18:47:12 +03:00
Davide Caratti
d22401d895 dbus: Fix memory leak in case dbus provides 'tlvs' in invalid P2P SD response
Using D-Bus it is possible to request an invalid SD response where
"tlvs" is specified and there is an unknown key (e.g. "bar": "foo"). In
this case, "tlv" is allocated and then never used nor freed. Valgrind
complains as follows:

 36 bytes in 1 blocks are definitely lost in loss record 20 of 74
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix it ensuring that "tlv" is freed both in the error and non-error path
of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in
test_dbus.py to verify correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-11 18:39:39 +03:00
Davide Caratti
0c2d8417c6 dbus: Fix memory leak in case dbus provides tlv in P2P UPnP SD request
Using D-Bus it is possible to trigger a valid UPnP SD request where
"tlv" is specified: in this case "tlv" is allocated, and then not used
nor freed. Valgrind complains as follows:

 72 bytes in 2 blocks are definitely lost in loss record 46 of 68
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix it ensuring that "tlv" is freed, both in the error and non-error
path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in
test_dbus.py to verify correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-11 18:37:14 +03:00