If the driver advertises max_remain_on_chan data, use it instead of
the hardcoded value of 5000. Keep the default at 5000 since that is the
value used by earlier versions of cfg80211/mac80211 and not advertised
in nl80211 for those.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When authenticating, and the interface type is not already
NL80211_IFTYPE_STATION, we need to call wpa_driver_nl80211_set_mode()
only once. Remove the excessive call.
Signed-off-by: Eliad Peller <eliad@wizery.com>
We can use the P2P interface types to check if the driver supports P2P
and to tell the kernel that a given interface is going to be used for
P2P (when it is created).
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
In order to enable protection mechanisms for different HT opmodes the
driver needs to be aware of the current HT opmode that is calculated by
hostapd. Hence, pass the current opmode to the nl80211 driver via
the bss attribute NL80211_ATTR_BSS_HT_OPMODE.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Previously, both NULL and ff:ff:ff:ff:ff:ff addr were used in various
places to indicate default/broadcast keys. Make this more consistent
and useful by defining NULL to mean default key (i.e., used both for
unicast and broadcast) and ff:ff:ff:ff:ff:ff to indicate broadcast
key (i.e., used only with broadcast).
When hostapd is removing a virtual BSS interface, the loop here was
incorrectly not updating the iterator during list traversal and
ended up in an infinite loop in some cases.
If the underlying driver supports off-channel TX, it will now be used by
the nl80211 driver wrapper, setting WPA_DRIVER_FLAGS_OFFCHANNEL_TX
accordingly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
With the new kernel functionality coming to Linux to allow off-channel
TX, we can take advantage of that in the P2P code that currently uses
remain-on-channel. If a driver advertises support for it, it will be
asked to handle off-channel TX by itself.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The nl80211 driver can report low ACK condition (in fact it reports
complete loss right now only). Use that, along with a config option, to
disconnect stations when the data connection is not working properly,
e.g., due to the STA having went outside the range of the AP. This is
disabled by default and can be enabled with disassoc_low_ack=1 in
hostapd or wpa_supplicant configuration file.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If a station received unprotected Deauthentication or Disassociation
frame with reason code 6 or 7 from the current AP, there may be a
mismatch in association state between the AP and STA. Verify whether
this is the case by using SA Query procedure. If not response is
received from the AP, deauthenticate.
This implementation is only for user space SME with
driver_nl80211.c.
Previously, pairwise and group cipher suites were configured only
when kernel SME (nl80211 connect API) was used. However, mac80211
needs this information even in the user space SME case for one
thing: to disable HT when TKIP/WEP is used. Add
NL80211_ATTR_CIPHER_SUITES_PAIRWISE to fix this special case with
user space SME. This allows mac80211 to disable HT properly when
the AP is configured with configuration that is not allowed.
This add preliminary code for setting the per-STA RX GTK for
RSN IBSS when nl80211 drivers. For some reason, this does not
seem to fully work, but at least driver_nl80211.c is now aware of
what kind of key is being set and the whatever is missing from
making this key configuration go through should be specific to
nl80211/cfg80211.
When controlling multiple virtual interfaces on the same physical
radio, share the scan results events with sibling interfaces. This
decreases the time it takes to connect many virtual interfaces.
This is currently only supported on Linux with cfg80211-based
drivers when using nl80211 or wext driver interface.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Some drivers are not providing exactly reliable error codes (e.g.,
with WEXT), but others may actually indicate reliable information.
Allow driver wrappers to indicate if that is the case and use
optimizations if so. For now, this improves nl80211 with
NL80211_CMD_CONNECT for a case where connection request fails.
driver_param=use_p2p_group_interface=1 can now be used to test
nl80211-drivers with separate P2P group interface. In other words,
the main interface (e.g., wlan0) is reserved for P2P management
operations and non-P2P connections and a new group interface (e.g.,
p2p-wlan0-0) is created for the P2P group.
This implementation is very minimal, i.e., it only support address
allocation for a single P2P group interface (if the driver does not
handle this internally). In addition, not all functionality has yet
been tested, so for now, this is disabled by default and needs that
special driver_param to enable.
driver.h defines these functions to return 0 on success, not
number of bytes transmitted. Most callers are checking "< 0" for
error condition, but not all. Address this by following the driver
API specification on 0 meaning success.
These are not used by any driver wrapper, i.e., only the four
data queues (BK, BE, VI, VO) are configurable. Better remove these
so that there is no confusion about being able to configure
something additional.
Pass data frames from unknown STAs to hostapd in order to reply with
a Deauthentication or Disassociation frame. This fixes compliance
with IEEE Std 802.11-2007, 11.3.
Furthermore, this does not cause a lot of overhead (at least with
mac80211 drivers) since mac80211 does not pass all data frames (but
at least from unauthenticated and unassociated STAs) to cooked monitor
interfaces.
Tested with rt2800pci on a MIPS board.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Listen to regulatory event messages from kernel and convert them to
internal driver event notifications indicated that the channel list
may have changed.
The new nl80211 API means we don't need to use monitor interfaces. This
means that the P2P implementation now requires a kernel that has support
for generic management frame (not just Action frame) transmission.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This is backward compatible since older kernels will ignore the extra
attribute and only allow registration for Action frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
libnl has a bug, when binding more than two sockets and releasing one,
it will release the wrong address and then try to reuse it, which fails.
Therefore, we need to reimplement the socket address assignment logic
locally for libnl 1.1.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When passing several authentication algorithms through auth_alg, we
should try all of them when the first one fails. The wext driver goes
through the connect nl80211 command and the retries are then handled by
the kernel. The nl80211 doesn't and we have to handle that from
userspace.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
DEAUTH messages can come from a number of different sources. The one
that's hurting us currently is DEAUTH netlink messages coming to us
from compat-wireless in response to local_state_change DEAUTH messages
we sent as a part of cleaning up state in driver_nl80211's
clear_state_mismatch() function. However, DEAUTH messages can come
from a variety of unwanted sources, including directed denial-of-service
attacks (although MAC verification doesn't place that high a barrier),
so this validation is actually generically useful, I think.
The downside to this method is that without a kernel based approach
"iw dev wlan0 link" no longer works correctly after clear_state_mismatch()
is done. This will be pursued with the kernel folks.
cfg80211/mac80211 seems to be unwilling to change interface mode in
some cases. Make these less likely to cause problems by trying the
changes up to 10 times with 100 msec intervals.
Replace use of rfkill block event with rtnetlink ifdown. This makes
the design more robust since the rfkill event could have been for
another interface while the rtnetlink events are already filtered
based of ifindex. In addition, the new design handles other than
rfkill-triggered ifdown/ifup events, too. rfkill unblocked event
is still needed to try to set the interface back up. If the unblock
was for another interface, ifup will fail and the driver state is
not changed.
Add a new wpa_supplicant state: interface disabled. This can be used
to allow wpa_supplicant to be running with the network interface even
when the driver does not actually allow any radio operations (e.g.,
due to rfkill).
Allow driver_nl80211.c and driver_wext.c to start while rfkill is in
blocked state (i.e., when ifconfig up fails) and process rfkill
events to block/unblock WLAN.
This adds more details into the CTRL-EVENT-DISCONNECTED event to
make it easier to figure out which network was disconnected in some
race conditions and to what could have been the reason for
disconnection. The reason code is currently only available with
the nl80211 driver wrapper.
There is no absolute requirement for separating address allocation
into separate functions, so simplify the driver wrapper interface
to use just if_add and if_remove instead of adding the new
alloc_interface_addr() and release_interface_addr() functions.
if_add() can now indicate if the driver forced a different interface
name or address on the virtual interface.
This removes transmission of some unnecessary Deauthentication
frames in cases where we only need to clear the local state. In
addition, this resolves issues for 802.11r FT-over-DS by allowing
authentication state to be set locally even when no actual
Authentication frame is to be transmitted.
This can be used to test 802.11w by sending a protected or unprotected
deauth/disassoc frame.
hostapd_cli deauth <dst addr> test=<0/1>
hostapd_cli disassoc <dst addr> test=<0/1>
test=0: unprotected
test=1: protected
This is a step in adding FT support with nl80211-based drivers.
driver_nl80211.c is now registering to handle the FT Action frames
and is able to transmit FT Request frame. Received FT Action frames
are not yet indicated as driver events.
This patch allows the nl80211 driver to create its own per-bss context
and pass it to the drv_priv pointer of the hostapd bss state.
With this and the following patch, stations can associate to and switch
between multiple BSS interfaces of a single wiphy.
This obsoletes a few instances of passing ifname to a callback, those
can be removed in a separate patch.
It might also be useful to move more fields from the driver data to the
per-bss data structure in the future.
filter_ssids=1 global configuration parameter can now be used to
enable scan result filtering (with -Dnl80211 only for now) based on
the configured SSIDs. In other words, only the scan results that have
an SSID matching with one of the configured networks are included in the
BSS table. This can be used to reduce memory needs in environments that
have huge number of APs.
wpa_supplicant can now be notified of suspend/resume events, e.g.,
from pm-action scripts. This allows wpa_supplicant to clear information
that may become invalid during a suspend operation.
The kernel side support for this was just added into
wireless-testing.git. This commit adds the driver wrapper code needed
to allow wpa_supplicant to use the new functionality.
Some drivers may need to use a specific ifname for the virtual
interface, so allow them to do this with a new parameter passed
to the alloc_interface_addr() handler.
This may help in debugging why cfg80211 refused the association
command since the scan results should include information about all
pending authentication and association states.
cfg80211 has a limit on pending authentications, so we better clear
the entries that we do not care about to avoid hitting the limit
when roaming between multiple APs.
This allows the driver wrappers to return two sets of IEs, so that
the BSS code can use information from both Beacon and Probe Response
frames if needed. For example, some Cisco APs seem to include more
information in Wireless Provisioning Services IE when it is in the
Beacon frame.
This makes the bridge parameter unnecessary for cases where the interface
is already in a bridge and sysfs is mounted to /sys so that the detection
code works.
For nl80211, the bridge parameter can be used to request the AP
interface to be added to the bridge automatically (brctl may refuse to
do this before hostapd has been started to change the interface mode).
If needed, the bridge interface is also created.
Number of Linux driver wrappers included this more or less identical
function, so lets add a new helper file to be able to share some more
code between the driver wrappers.
Most of this file was already moved into wpa_supplicant/scan.c and
we can remove the file completely by having couple of small helper
functions copied to the remaining users outside core wpa_supplicant
code.
This adds new commands and events for allowing off-channel Action
frame exchanges to be requested. This functionality is not yet used
and is only fully supported by driver_test.c at this point.
driver_nl80211.c has support for the remain-on-channel commands, but
the Action frame TX/RX part is still pending review for the kernel
code and as such, is not yet included here.
This adds placeholder code for allowing the virtual interfaces to be
pre-allocated a MAC address before the interface type is known with
drivers that do not handle interface type changes.
Get more information about scans when updating BSS table information.
This allows the missing-from-scans expiration rule to work properly
when only partial set of channels or SSIDs are being scanned.
There does not seem to be a driver interface for fetching auth_algs
capability, but this may be used by some external application, so
hardcode all auth_algs as supported for now.
This mode allows associated stations to use 4-address frames to allow
layer 2 bridging to be used. At least for the time being, this is only
supported with driver=nl80211.
As an initial step in sharing netlink helper functions among driver
wrappers, create a new file for netlink code and move operstate send
function there.
Replace driver wrapper calls to hostapd_tx_status(),
hostapd_rx_from_unknown_sta(), hostapd_mgmt_rx(), and
hostapd_mgmt_tx_cb() with new generic driver events
EVENT_TX_STATUS, EVENT_RX_FROM_UNKNOWN, and EVENT_RX_MGMT.
This cleans up lot of the driver wrapper code to be less dependent
on whether it is being used within wpa_supplicant AP mode or hostapd.
This remove the need from driver_test.c to go through internal hostapd
structures to find the appropriate BSS when reporting events on secondary
BSSes.
This removes need for including hostapd/sta_flags.h into driver
wrappers and removes any remaining dependencies between driver flags
and internal hostapd flags.
In addition to the bitrate, the only other variable in this structure
is used internally in hostapd. Move this structure into hostapd.h and
make the driver API use simpler data structure (array of bitrates).
These are not really used and can be removed to clean up the driver
interface definition. The only remaining flag (HOSTAPD_RATE_BASIC) can
be removed once the basic rate set indication can be handled
differently.
if_add/if_remove can now be used as the generic driver ops for adding
and removing virtual interfaces of various types. In addition,
driver_nl80211.c is now including this code unconditionally, so that
the functions are not limited only for hostapd.
There seem to be some cases in which wpa_supplicant and
cfg80211/mac80211 seem to have different understanding on
authentication/association state. Since cfg80211/mac80211 is very strict
on when it accepts new authentication/association/scan commands, try our
best at clearing such state mismatches by explicitly deauthenticating
from BSSes with which the driver claims we are associated with if we do
not have local information about such association.
Print what the kernel believes the current BSS status (authenticated
or associated) is in scan results. In addition, check whether this
matches with the state that wpa_supplicant believes the driver to be
in.
This does not change the actual behavior, but will provide information
that will help in debugging potential issues where cfg80211/mac80211
seems to get into a different state from wpa_supplicant. In addition,
this provides an easy location for a workaround that could be added to
clear cfg80211/mac80211 state for unknown BSSes.
This makes it clearer which files are including header from src/common.
Some of these cases should probably be cleaned up in the future not to
do that.
In addition, src/common/nl80211_copy.h and wireless_copy.h were moved
into src/drivers since they are only used by driver wrappers and do not
need to live in src/common.
Instead of using hardcoded maximum A-MPDU length of 64 kB and no
restrictions on minimum MPDU Start Spacing, use the correct values
reported by the driver.
Mainly, this is including header files to get definitions for functions
which is good to verify that the parameters match. None of these are
issues that would have shown as incorrect behavior of the program.
This gets rid of previously deprecated driver_ops handlers set_wpa,
set_drop_unencrypted, set_auth_alg, set_mode. The same functionality
can be achieved by using the init/deinit/associate handlers.
Clean up driver_nl80211.c by gettign rid of the last remaining WEXT use.
This requires that a recent mac80211 version is used to get full protection
in station mode via the authorized flag (IEEE 802.1X PAE).
Clean up driver interface by merging hostapd and wpa_supplicant
specific set_beacon driver_ops into a single one. In addition,
merge set_beacon_int into to the same operation.
Always bring down the wlan interface, even when not changing the
BSSID, the interface also needs to be down for changing its type
from managed to AP mode.
gcc 4.4 ends up generating strict-aliasing warnings about some very common
networking socket uses that do not really result in a real problem and
cannot be easily avoided with union-based type-punning due to struct
definitions including another struct in system header files. To avoid having
to fully disable strict-aliasing warnings, provide a mechanism to hide the
typecast from aliasing for now. A cleaner solution will hopefully be found
in the future to handle these cases.
mac80211 does not currently allow (re)authentication when we are already
authenticated. In order to work around this, force deauthentication if
nl80211 authentication command fails with EALREADY. Unfortunately, the
workaround code in driver_nl80211.c alone is not enough since the
following disconnection event would clear wpa_supplicant authentication
state. To handle this, add some code to restore authentication state
when using userspace SME.
This workaround will hopefully become unnecessary in some point should
mac80211 start accepting new authentication requests even when in
authenticated state.
Replace "nl80211: Ignored unknown event (cmd=33)" with
"nl80211: Scan trigger" to make debug output clearer. We do not
currently do anything with this event apart from showing it in
the debug log.
This reverts commit 5aa9cb5cca.
The nested key attribute is using different attribute values
(NL80211_KEY_* vs. NL80211_ATTR_KEY_*), so cannot share the same routine
for these purposes..
Current wpa_supplicant has a bug with WEP keys, it adds a zero-length
sequence counter field to netlink which the kernel doesn't accept.
Additionally, the kernel API slightly changed to accept keys only when
connected, so we need to send it the keys after that. For that to work
with shared key authentication, we also include the default WEP TX key
in the authentication command.
To upload the keys properly _after_ associating, add a new flag
WPA_DRIVER_FLAGS_SET_KEYS_AFTER_ASSOC_DONE indicating that the driver
needs the keys at that point and not earlier.
This is an initial step in adding support for the new connect command.
For now, we just add the capability query. The actual use of the new
command will be added separately.
Previously, both the command replies and unsolicited events were
received from the same socket. This could cause problems if an event
message is received between a command and the response to that command.
Using two sockets avoids this issue.
Current wpa_supplicant has a bug with WEP keys, it adds a zero-length
sequence counter field to netlink which the kernel doesn't accept.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
hostapd currently tries to encrypt all auth frames,
except for "OPEN" and "SHARED with transaction 3".
This means that it will send an encrypted "unknown
auth algorithm" reply for all other algorithsm. Fix
this by changing the logic to only encrypt shared
key auth frames with transaction 3.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Change existing CONFIG_LIBNL20 compatibility code in
driver_nl80211.c to be used by both wpa_supplicant
and hostapd, but take care of nl_handle too now.
Propagate CONFIG_LIBNL20 out of .config file and onto
CFLAGS in the Makefile.
Use libnl-gen now too.
Signed-off-by: Jon Loeliger <jdl@bigfootnetworks.com>
---
If hostapd segfaults, or is killed with -9, or the interface already exists,
when the interface is created, it will fail.
Configuration file: /tmp/hostapd/hostapd.conf
Failed to create interface mon.wlan0_0.
Using interface wlan0_0 with hwaddr 00:13:01:01:08:0a and ssid 'IG_0405_LAN'
Failed to set beacon head/tail or DTIM period
Failed to create interface wlan0_1.
Try to remove the interface and re-create it before aborting.
This adds a cleaner mechanism for protecting against unauthorized
data frames than the previously used drop_unencrypted mechanism
(which is not even available with nl80211 and had to use a WEXT
ioctl.
The old drop_unencrypted code is left in for now as the final
surviving WEXT use in driver_nl80211.c. However, it can be removed
from the build by defining NO_WEXT. It may also be removed
eventually when most users are expected to be using recent enough
kernel version.
For now, the old code using NL80211_ATTR_STA_FLAGS is left in for
backwards compatibility with older kernel versions. It may be removed
eventually when most users are expected to be running with new
enough kernel version.
This simplifies driver wrapper operations and removes last direct
struct hostapd_data dereferences from driver_nl80211.c. In addition,
some of the TX callbacks are now fixed for secondary BSSes.
This fixes deauth/disassoc frames in secondary BSSes when using
multi-BSSID. In addition, it reduces need to dereference
struct hostapd_data inside driver wrappers.
NO_WEXT can be defined to disable all remaining WEXT uses from
driver_nl80211.c. This breaks some functionality, so the code is still
in use by default. Anyway, the new #ifdef blocks make it easy to search
for areas that need to be converted to nl80211.
Instead of adding a new driver_ops for fetching neighbor BSS data (that
nl80211 driver interface had to scan during initialization), share the
same scan operations that wpa_supplicant is using. This gets rid of
duplicated scan code in driver_nl80211.c (and better yet, removes large
part of old WEXT code).
hostapd interface initialization is now completed in a callback, if
needed, i.e., he_features channel/hw_mode selection can use as much time
as needed. This can also help with radar detection in the future.
hostapd ended up with unregistered send_mlme() in commit
9f324b61ba. Fix this by registering the
handler both for wpa_supplicant-AP and hostapd use. [Bug 310]
Use a parameter structure to pass in information that can be more easily
extended in the future. Include some of the parameters that were
previously read directly from hapd->conf in order to reduce need for
including hostapd/config.h into driver wrappers.
This was not documented properly and was not really used nor would it be
suitable to be used in generic way as it was implemented. It is better
to just remove the parameter since there does not seem to be any
reasonable use for it.
nl80211 interface has a trivial bug that prevents it to work correctly
with channel 14. Channel frequency is erroneously 2848 instead of 2484.
To correct it just apply this patch. [Bug 308]
This merges the driver wrapper implementations to use the same
implementation both for hostapd and wpa_supplicant operations to avoid
code duplication.
This commit merges the driver_ops structures and implementations from
hostapd/driver*.[ch] into src/drivers. This is only an initial step and
there is room for number of cleanups to share code between the hostapd
and wpa_supplicant parts of the wrappers to avoid unnecessary source
code duplication.
Need to set WEP keys before requesting authentication in order to get
Shared Key authentication working. Previously, the WEP keys were not set
at all when using SME in wpa_supplicant.
mac80211 does not use this type of Michael MIC event, so this is not
really used and proper Michael MIC failure processing will be added
using an nl80211 event once that gets added into wireless-testing.git.
It looks like both new nl80211 operations (scan and auth/assoc) end up
being added in Linux 2.6.30, so we do not need to maintain the backwards
compatibility code in wpa_supplicant.
A new network block parameter, scan_freq, can be used to specify subset
of frequencies to scan. This can speed up scanning process considerably
if it is known that only a small subset of channels is actually used in
the network. A union of configured frequencies for all enabled network
blocks is used in scan requests.
Currently, only driver_nl80211.c has support for this functionality.
For example, following parameter marks 2.4 GHz channels 1, 6, 11 to be
scanned: scan_freq=2412 2437 2462
This version is adding the configuration option (mode=2) for this and
driver capability reporting to figure out whether AP mode can be used.
However, this does not actually implement any real functionality yet.
Need to set drv->ifindex before calling set_mode(). In addition, set the
mode before setting the interface up to avoid having to set it down
again.
Add more useful error message on mode changes.
All these driver handlers can be implemented in associate() handler
which gets all the needed information in the parameters structure. The
old functions that provided only a single parameter will be removed
eventually to clean up the driver_ops structure, so driver wrappers
should start using the newer mechanism.
This can be used, e.g., with mac80211-based Linux drivers with
nl80211. This allows over-the-air FT protocol to be used (IEEE
802.11r).
Since the nl80211 interface needed for this is very recent (added
today into wireless-testing.git), driver_nl80211.c has backwards
compatibility code that uses WEXT for association if the kernel does
not support the new commands. This compatibility code can be
disabled by defining NO_WEXT_COMPAT. That code will also be removed
at some point to clean up driver_nl80211.c.
These flags are used to mark which values (level, noise, qual) are
invalid (not available from the driver) and whether level is using dBm.
D-Bus interface will now only report the values that were available.
For example, -Dnl80211,wext could be used to automatically select
between nl80211 and wext. The first driver wrapper that is able to
initialize the interface will be used.
This workaround was needed with some drivers that used WEXT, but there
is no known nl80211-enabled driver that would need this, so lets get rid
of the extra delay.
The driver wrappers can now inform wpa_supplicant how many SSIDs can
be used in a single scan request (i.e., send multiple Probe Requests
per channel). This value is not yet used, but it can eventually be used
to allow a new scan command to specify multiple SSIDs to speed up
scan_ssid=1 operations. In addition, a warning could be printed if
scan_ssid=1 is used with a driver that does not support it
(max_scan_ssids=0).
We can now handle up to 65535 byte result buffer which is the maximum
due to WEXT using 16-bit length field. Previously, this was limited to
32768 bytes in practice even through we tried with 65536 and 131072
buffers which we just truncated into 0 in the 16-bit variable.
This more or less doubles the number of BSSes we can received from scan
results.
This adds support for setting of a regulatory domain to wpa_supplicant
drivers. It also adds regulatory domain setting for the nl80211 driver.
We expect an ISO / IEC 3166 alpha2 in the wpa configuration file as a
global.
A bug just got reported as a result of this for mac80211 drivers.
https://bugzilla.redhat.com/show_bug.cgi?id=459399
The basic problem is that since taking the device down clears the keys
from the driver on many mac80211-based cards, and since the mode gets
set _after_ the keys have been set in the driver, the keys get cleared
on a mode switch and the resulting association is wrong. The report is
about ad-hoc mode specifically, but this could happen when switching
from adhoc back to managed mode.
If IWEVGENIE or custom event wpa_ie/rsn_ie is received in scan with empty
buffer, the previous version ended up calling realloc(NULL, 0) which seems
to return a non-NULL value in some cases. When this return value is passed
again into realloc with realloc(ptr, 0), the returned value could be NULL.
If the ptr is then freed (os_free(data.ie) in SIOCGIWAP handling), glibc
may crash due to invalid pointer being freed (or double-freed?). The
non-NULL realloc(NULL, 0) return value from glibc looks a bit odd behavior,
but anyway, better avoid this case completely and just skip the IE events
that have an empty buffer.
This issue should not show up with drivers that produce proper scan results
since the IEs will always include the two-octet header. However, it seems
to be possible to see this when using 64-bit kernel and 32-bit userspace
with incorrect compat-ioctl processing.
These functions are based on the hostapd implementation and complete
the userspace MLME code in wpa_supplicant (though, mac80211 will still need
couple of pending patches to be integrated in order to get userspace client
MLME working again).
This adds some parts needed to use usermode MLME with the current mac80211
(plus a patch to add a new cfg80211 command; not yet submitted to
wireless-testing). This version creates a monitor interface for management
frames and is able to send Probe Request frames during scan. However, it
looks like management frame reception is not yet working properly. In
addition, mlme_{add,remove}_sta() handlers are still missing.