From 73ec4a74fdb9f6fb861ab8524f5f8c7fc96df3b7 Mon Sep 17 00:00:00 2001 From: Shreyas Sheth Date: Fri, 22 Mar 2024 13:37:25 +0530 Subject: [PATCH] fix(esp_wifi): Fix crash when assoc req comes before confirm is processed --- .../esp_supplicant/src/esp_hostap.c | 4 +-- .../esp_supplicant/src/esp_hostap.h | 7 +++--- .../esp_supplicant/src/esp_wpa_main.c | 25 +++++++++++++------ components/wpa_supplicant/src/ap/wpa_auth.c | 4 +-- 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c index d9585c9f53..3beb7590da 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.c @@ -281,8 +281,8 @@ int esp_wifi_build_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len) return pos - eid; } -u16 esp_send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta, - const u8 *addr, u16 status_code, bool omit_rsnxe, int subtype) +u16 esp_send_assoc_resp(struct hostapd_data *hapd, const u8 *addr, + u16 status_code, bool omit_rsnxe, int subtype) { #define ASSOC_RESP_LENGTH 20 u8 buf[ASSOC_RESP_LENGTH]; diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.h b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.h index fc7bcb6c8b..7e5d409997 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_hostap.h +++ b/components/wpa_supplicant/esp_supplicant/src/esp_hostap.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -15,9 +15,8 @@ extern "C" { #ifdef CONFIG_ESP_WIFI_SOFTAP_SUPPORT void *hostap_init(void); bool hostap_deinit(void *data); -u16 esp_send_assoc_resp(struct hostapd_data *data, struct sta_info *sta, - const u8 *addr, u16 status_code, bool omit_rsnxe, - int subtype); +u16 esp_send_assoc_resp(struct hostapd_data *data, const u8 *addr, + u16 status_code, bool omit_rsnxe, int subtype); int esp_send_sae_auth_reply(struct hostapd_data *hapd, const u8 *dst, const u8 *bssid, u16 auth_alg, u16 auth_transaction, u16 resp, diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c index eb1066d557..0649eaf580 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c @@ -332,7 +332,7 @@ static int check_n_add_wps_sta(struct hostapd_data *hapd, struct sta_info *sta_i if (sta_info->eapol_sm) { wpa_printf(MSG_DEBUG, "considering station " MACSTR " for WPS", MAC2STR(sta_info->addr)); - if (esp_send_assoc_resp(hapd, sta_info, sta_info->addr, WLAN_STATUS_SUCCESS, true, subtype) != WLAN_STATUS_SUCCESS) { + if (esp_send_assoc_resp(hapd, sta_info->addr, WLAN_STATUS_SUCCESS, true, subtype) != WLAN_STATUS_SUCCESS) { wpa_printf(MSG_ERROR, "failed to send assoc response " MACSTR, MAC2STR(sta_info->addr)); return -1; } @@ -356,15 +356,18 @@ static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len,u8 #ifdef CONFIG_SAE if (old_sta->lock && os_semphr_take(old_sta->lock, 0) != TRUE) { wpa_printf(MSG_INFO, "Ignore assoc request as softap is busy with sae calculation for station "MACSTR, MAC2STR(bssid)); - if (esp_send_assoc_resp(hapd, old_sta, bssid, WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY, rsnxe ? false : true, subtype) != WLAN_STATUS_SUCCESS) { + if (esp_send_assoc_resp(hapd, bssid, WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY, rsnxe ? false : true, subtype) != WLAN_STATUS_SUCCESS) { goto fail; } return false; } -#endif /* CONFIG_SAE */ if (!esp_wifi_ap_is_sta_sae_reauth_node(bssid)) { ap_free_sta(hapd, old_sta); + } else if (old_sta && old_sta->lock) { + sta_info = old_sta; + goto process_old_sta; } +#endif /* CONFIG_SAE */ } sta_info = ap_get_sta(hapd, bssid); @@ -374,12 +377,18 @@ static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len,u8 wpa_printf(MSG_ERROR, "failed to add station " MACSTR, MAC2STR(bssid)); goto fail; } -#ifdef CONFIG_SAE - if (sta_info->lock) { - os_semphr_take(sta_info->lock, 0); - } -#endif /* CONFIG_SAE */ } +#ifdef CONFIG_SAE + if (sta_info->lock && os_semphr_take(sta_info->lock, 0) != TRUE) { + wpa_printf(MSG_INFO, "Ignore assoc request as softap is busy with sae calculation for station "MACSTR, MAC2STR(bssid)); + if (esp_send_assoc_resp(hapd, bssid, WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY, rsnxe ? false : true, subtype) != WLAN_STATUS_SUCCESS) { + goto fail; + } + return false; + } +#endif /* CONFIG_SAE */ + +process_old_sta: #ifdef CONFIG_WPS_REGISTRAR if (check_n_add_wps_sta(hapd, sta_info, wpa_ie, wpa_ie_len, pmf_enable, subtype) == 0) { diff --git a/components/wpa_supplicant/src/ap/wpa_auth.c b/components/wpa_supplicant/src/ap/wpa_auth.c index 9b380a4b1a..c77ab940ce 100644 --- a/components/wpa_supplicant/src/ap/wpa_auth.c +++ b/components/wpa_supplicant/src/ap/wpa_auth.c @@ -789,7 +789,7 @@ continue_processing: * strong random numbers. Reject the first 4-way * handshake(s) and collect some entropy based on the * information from it. Once enough entropy is - * available, the next atempt will trigger GMK/Key + * available, the next attempt will trigger GMK/Key * Counter update and the station will be allowed to * continue. */ @@ -2601,7 +2601,7 @@ send_resp: omit_rsnxe = true; } - if (esp_send_assoc_resp(hapd, sta, bssid, resp, omit_rsnxe, subtype) != WLAN_STATUS_SUCCESS) { + if (esp_send_assoc_resp(hapd, bssid, resp, omit_rsnxe, subtype) != WLAN_STATUS_SUCCESS) { resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA; }