From c098c253b12252acd85d24d013c79e6296a01e70 Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapil.gupta@espressif.com>
Date: Fri, 31 Dec 2021 20:15:32 +0530
Subject: [PATCH] wpa_supplicant: Add BTM security checks

---
 .../esp_supplicant/src/esp_common.c           | 51 +++++++++++++------
 .../esp_supplicant/src/esp_dpp.c              |  4 +-
 .../esp_supplicant/src/esp_wpa2.c             |  4 +-
 components/wpa_supplicant/src/common/scan.c   |  4 ++
 .../wpa_supplicant/src/common/wnm_sta.c       |  7 ++-
 5 files changed, 49 insertions(+), 21 deletions(-)

diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_common.c b/components/wpa_supplicant/esp_supplicant/src/esp_common.c
index 61e7239373..0fbbfcd9c7 100644
--- a/components/wpa_supplicant/esp_supplicant/src/esp_common.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_common.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -23,7 +23,7 @@
 
 struct wpa_supplicant g_wpa_supp;
 
-static void *s_supplicant_task_hdl = NULL;
+static TaskHandle_t s_supplicant_task_hdl = NULL;
 static void *s_supplicant_evt_queue = NULL;
 static void *s_supplicant_api_lock = NULL;
 
@@ -218,6 +218,7 @@ static void supplicant_sta_disconn_handler(void* arg, esp_event_base_t event_bas
 	if (wpa_s->current_bss) {
 		wpa_s->current_bss = NULL;
 	}
+	clear_bssid_flag(wpa_s);
 }
 
 static int ieee80211_handle_rx_frm(u8 type, u8 *frame, size_t len, u8 *sender,
@@ -262,18 +263,25 @@ int esp_supplicant_common_init(struct wpa_funcs *wpa_cb)
 	struct wpa_supplicant *wpa_s = &g_wpa_supp;
 	int ret;
 
-	s_supplicant_evt_queue = xQueueCreate(3, sizeof(supplicant_event_t));
-	ret = xTaskCreate(btm_rrm_task, "btm_rrm_t", SUPPLICANT_TASK_STACK_SIZE, NULL, 2, s_supplicant_task_hdl);
-	if (ret != pdPASS) {
-		wpa_printf(MSG_ERROR, "btm: failed to create task");
-		return ret;
-	}
-
 	s_supplicant_api_lock = xSemaphoreCreateRecursiveMutex();
 	if (!s_supplicant_api_lock) {
-		esp_supplicant_common_deinit();
 		wpa_printf(MSG_ERROR, "%s: failed to create Supplicant API lock", __func__);
-		return ret;
+		ret = -1;
+		goto err;
+	}
+
+	s_supplicant_evt_queue = xQueueCreate(3, sizeof(supplicant_event_t));
+
+	if (!s_supplicant_evt_queue) {
+		wpa_printf(MSG_ERROR, "%s: failed to create Supplicant event queue", __func__);
+		ret = -1;
+		goto err;
+	}
+	ret = xTaskCreate(btm_rrm_task, "btm_rrm_t", SUPPLICANT_TASK_STACK_SIZE, NULL, 2, &s_supplicant_task_hdl);
+	if (ret != pdPASS) {
+		wpa_printf(MSG_ERROR, "btm: failed to create task");
+		ret = -1;
+		goto err;
 	}
 
 	esp_scan_init(wpa_s);
@@ -298,6 +306,9 @@ int esp_supplicant_common_init(struct wpa_funcs *wpa_cb)
 	wpa_cb->wpa_sta_profile_match = NULL;
 #endif
 	return 0;
+err:
+	esp_supplicant_common_deinit();
+	return ret;
 }
 
 void esp_supplicant_common_deinit(void)
@@ -311,10 +322,19 @@ void esp_supplicant_common_deinit(void)
 			&supplicant_sta_conn_handler);
 	esp_event_handler_unregister(WIFI_EVENT, WIFI_EVENT_STA_DISCONNECTED,
 			&supplicant_sta_disconn_handler);
-	wpa_s->type = 0;
-	wpa_s->subtype = 0;
-	esp_wifi_register_mgmt_frame_internal(wpa_s->type, wpa_s->subtype);
-	if (esp_supplicant_post_evt(SIG_SUPPLICANT_DEL_TASK, 0) != 0) {
+	if (wpa_s->type) {
+		wpa_s->type = 0;
+		esp_wifi_register_mgmt_frame_internal(wpa_s->type, wpa_s->subtype);
+	}
+	if (!s_supplicant_task_hdl && esp_supplicant_post_evt(SIG_SUPPLICANT_DEL_TASK, 0) != 0) {
+		if (s_supplicant_evt_queue) {
+			vQueueDelete(s_supplicant_evt_queue);
+			s_supplicant_evt_queue = NULL;
+		}
+		if (s_supplicant_api_lock) {
+			vSemaphoreDelete(s_supplicant_api_lock);
+			s_supplicant_api_lock = NULL;
+		}
 		wpa_printf(MSG_ERROR, "failed to send task delete event");
 	}
 }
@@ -594,6 +614,7 @@ int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
 	if (s_supplicant_api_lock) {
 		SUPPLICANT_API_LOCK();
 	} else {
+		os_free(evt);
 		return -1;
 	}
 	if (xQueueSend(s_supplicant_evt_queue, &evt, 10 / portTICK_PERIOD_MS ) != pdPASS) {
diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_dpp.c b/components/wpa_supplicant/esp_supplicant/src/esp_dpp.c
index f9e26019ea..c7558cf7ec 100644
--- a/components/wpa_supplicant/esp_supplicant/src/esp_dpp.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_dpp.c
@@ -18,7 +18,7 @@
 #include "common/ieee802_11_defs.h"
 
 #ifdef CONFIG_DPP
-static void *s_dpp_task_hdl = NULL;
+static TaskHandle_t s_dpp_task_hdl = NULL;
 static void *s_dpp_evt_queue = NULL;
 static void *s_dpp_api_lock = NULL;
 
@@ -636,7 +636,7 @@ esp_err_t esp_supp_dpp_init(esp_supp_dpp_event_cb_t cb)
 
     s_dpp_stop_listening = false;
     s_dpp_evt_queue = xQueueCreate(3, sizeof(dpp_event_t));
-    ret = xTaskCreate(esp_dpp_task, "dppT", DPP_TASK_STACK_SIZE, NULL, 2, s_dpp_task_hdl);
+    ret = xTaskCreate(esp_dpp_task, "dppT", DPP_TASK_STACK_SIZE, NULL, 2, &s_dpp_task_hdl);
     if (ret != pdPASS) {
         wpa_printf(MSG_ERROR, "DPP: failed to create task");
         return ESP_FAIL;
diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c
index b98b526102..f966207c5c 100644
--- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c
@@ -64,7 +64,7 @@ static int wpa2_start_eapol_internal(void);
 int wpa2_post(uint32_t sig, uint32_t par);
 
 #ifdef USE_WPA2_TASK
-static void *s_wpa2_task_hdl = NULL;
+static TaskHandle_t s_wpa2_task_hdl = NULL;
 static void *s_wpa2_queue = NULL;
 static wpa2_state_t s_wpa2_state = WPA2_STATE_DISABLED;
 static void *s_wpa2_api_lock = NULL;
@@ -793,7 +793,7 @@ static int eap_peer_sm_init(void)
     gEapSm = sm;
 #ifdef USE_WPA2_TASK
     s_wpa2_queue = xQueueCreate(SIG_WPA2_MAX, sizeof(s_wpa2_queue));
-    ret = xTaskCreate(wpa2_task, "wpa2T", WPA2_TASK_STACK_SIZE, NULL, 2, s_wpa2_task_hdl);
+    ret = xTaskCreate(wpa2_task, "wpa2T", WPA2_TASK_STACK_SIZE, NULL, 2, &s_wpa2_task_hdl);
     if (ret != pdPASS) {
         wpa_printf(MSG_ERROR, "wps enable: failed to create task");
         ret = ESP_FAIL;
diff --git a/components/wpa_supplicant/src/common/scan.c b/components/wpa_supplicant/src/common/scan.c
index 46dab15be1..dac96e3b80 100644
--- a/components/wpa_supplicant/src/common/scan.c
+++ b/components/wpa_supplicant/src/common/scan.c
@@ -36,6 +36,10 @@ void wpa_supplicant_req_scan(struct wpa_supplicant *wpa_s, int sec, int usec)
 		wpa_dbg(wpa_s, MSG_DEBUG, "Already scanning - Return");
 		return;
 	}
+	if (!wpa_s->current_bss) {
+		wpa_dbg(wpa_s, MSG_INFO, "Current BSS is null - Return");
+		return;
+	}
 	params = os_zalloc(sizeof(*params));
 
 	if (!params) {
diff --git a/components/wpa_supplicant/src/common/wnm_sta.c b/components/wpa_supplicant/src/common/wnm_sta.c
index 9a05d57b30..0ca33587a8 100644
--- a/components/wpa_supplicant/src/common/wnm_sta.c
+++ b/components/wpa_supplicant/src/common/wnm_sta.c
@@ -308,12 +308,15 @@ bool wpa_scan_res_match(struct wpa_supplicant *wpa_s,
 		return false;
 	}
 
-	/* TODO security Match */
+	/* Just check for Open/secure mode */
+	if ((current_bss->caps & WLAN_CAPABILITY_PRIVACY) != (target_bss->caps & WLAN_CAPABILITY_PRIVACY)) {
+		wpa_printf(MSG_DEBUG, "WNM: Security didn't match");
+		return false;
+	}
 
 	return true;
 }
 
-
 static struct wpa_bss *
 compare_scan_neighbor_results(struct wpa_supplicant *wpa_s, os_time_t age_secs,
 			      enum mbo_transition_reject_reason *reason)