mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
qcacld-2.0: Fix incorrect length of encrypted auth frame
Memory for encrypted auth frame is allocated based on macro SIR_MAC_AUTH_CHALLENGE_LENGTH. SIR_MAC_AUTH_CHALLENGE_LENGTH was updated to 253 from 128. Auth failure is observed on receiving challenge text of length 128. Fix is to use length based on the challenge text received. Change-Id: I9a8b1a05d36421cfab2bf699fe38c50e150cf464 CRs-Fixed: 2100554 Bug: 67030205 Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
This commit is contained in:
google
Nolen Johnson
parent
c58b4a7a63
commit
b40d05a047
5 changed files with 52 additions and 15 deletions
|
|
@ -582,6 +582,10 @@
|
|||
#define SIR_MAC_AUTH_CHALLENGE_LENGTH 253
|
||||
#define SIR_MAC_WEP_IV_LENGTH 4
|
||||
#define SIR_MAC_WEP_ICV_LENGTH 4
|
||||
#define SIR_MAC_CHALLENGE_ID_LEN 2
|
||||
|
||||
/* 2 bytes each for auth algo number, transaction number and status code */
|
||||
#define SIR_MAC_AUTH_FRAME_INFO_LEN 6
|
||||
|
||||
/// MAX key length when ULA is used
|
||||
#define SIR_MAC_MAX_KEY_LENGTH 32
|
||||
|
|
|
|||
|
|
@ -1237,10 +1237,18 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
|
|||
sirSwapU16ifNeeded((tANI_U16) (pRxAuthFrameBody->authTransactionSeqNumber + 1));
|
||||
((tpSirMacAuthFrameBody) plainBody)->authStatusCode = eSIR_MAC_SUCCESS_STATUS;
|
||||
((tpSirMacAuthFrameBody) plainBody)->type = SIR_MAC_CHALLENGE_TEXT_EID;
|
||||
((tpSirMacAuthFrameBody) plainBody)->length = SIR_MAC_AUTH_CHALLENGE_LENGTH;
|
||||
((tpSirMacAuthFrameBody) plainBody)->length = pRxAuthFrameBody->length;
|
||||
palCopyMemory( pMac->hHdd, (tANI_U8 *) ((tpSirMacAuthFrameBody) plainBody)->challengeText,
|
||||
pRxAuthFrameBody->challengeText,
|
||||
SIR_MAC_AUTH_CHALLENGE_LENGTH);
|
||||
pRxAuthFrameBody->length);
|
||||
encrAuthFrame = vos_mem_malloc(pRxAuthFrameBody->length +
|
||||
LIM_ENCR_AUTH_INFO_LEN);
|
||||
if (!encrAuthFrame) {
|
||||
limLog(pMac, LOGE, FL("failed to allocate memory"));
|
||||
goto free;
|
||||
}
|
||||
vos_mem_set(encrAuthFrame, pRxAuthFrameBody->length +
|
||||
LIM_ENCR_AUTH_INFO_LEN, 0);
|
||||
|
||||
limEncryptAuthFrame(pMac, 0,
|
||||
pKeyMapEntry->key,
|
||||
|
|
@ -1253,7 +1261,8 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
|
|||
limSendAuthMgmtFrame(pMac,
|
||||
(tpSirMacAuthFrameBody) encrAuthFrame,
|
||||
pHdr->sa,
|
||||
LIM_WEP_IN_FC,psessionEntry);
|
||||
pRxAuthFrameBody->length,
|
||||
psessionEntry);
|
||||
|
||||
break;
|
||||
} // end if (pKeyMapEntry->key == NULL)
|
||||
|
|
@ -1315,10 +1324,19 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
|
|||
sirSwapU16ifNeeded((tANI_U16) (pRxAuthFrameBody->authTransactionSeqNumber + 1));
|
||||
((tpSirMacAuthFrameBody) plainBody)->authStatusCode = eSIR_MAC_SUCCESS_STATUS;
|
||||
((tpSirMacAuthFrameBody) plainBody)->type = SIR_MAC_CHALLENGE_TEXT_EID;
|
||||
((tpSirMacAuthFrameBody) plainBody)->length = SIR_MAC_AUTH_CHALLENGE_LENGTH;
|
||||
((tpSirMacAuthFrameBody) plainBody)->length = pRxAuthFrameBody->length;
|
||||
palCopyMemory( pMac->hHdd, (tANI_U8 *) ((tpSirMacAuthFrameBody) plainBody)->challengeText,
|
||||
pRxAuthFrameBody->challengeText,
|
||||
SIR_MAC_AUTH_CHALLENGE_LENGTH);
|
||||
pRxAuthFrameBody->length);
|
||||
|
||||
encrAuthFrame = vos_mem_malloc(pRxAuthFrameBody->length +
|
||||
LIM_ENCR_AUTH_INFO_LEN);
|
||||
if (!encrAuthFrame) {
|
||||
limLog(pMac, LOGE, FL("failed to allocate memory"));
|
||||
goto free;
|
||||
}
|
||||
vos_mem_set(encrAuthFrame, pRxAuthFrameBody->length +
|
||||
LIM_ENCR_AUTH_INFO_LEN, 0);
|
||||
|
||||
limEncryptAuthFrame(pMac, keyId,
|
||||
defaultKey,
|
||||
|
|
@ -1332,7 +1350,8 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
|
|||
limSendAuthMgmtFrame(pMac,
|
||||
(tpSirMacAuthFrameBody) encrAuthFrame,
|
||||
pHdr->sa,
|
||||
LIM_WEP_IN_FC,psessionEntry);
|
||||
pRxAuthFrameBody->length,
|
||||
psessionEntry);
|
||||
|
||||
break;
|
||||
} // end if (pKeyMapEntry)
|
||||
|
|
|
|||
|
|
@ -557,7 +557,10 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 *
|
|||
tANI_U8 *pEncrBody, tANI_U32 keyLength)
|
||||
{
|
||||
tANI_U8 seed[LIM_SEED_LENGTH], icv[SIR_MAC_WEP_ICV_LENGTH];
|
||||
tANI_U16 framelen;
|
||||
|
||||
framelen = ((tpSirMacAuthFrameBody)pPlainText)->length +
|
||||
SIR_MAC_AUTH_FRAME_INFO_LEN + SIR_MAC_CHALLENGE_ID_LEN;
|
||||
keyLength += 3;
|
||||
|
||||
// Bytes 0-2 of seed is IV
|
||||
|
|
@ -576,7 +579,7 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 *
|
|||
// Run RC4 on plain text with the seed
|
||||
limRC4(pEncrBody + SIR_MAC_WEP_IV_LENGTH,
|
||||
(tANI_U8 *) pPlainText, seed, keyLength,
|
||||
LIM_ENCR_AUTH_BODY_LEN - SIR_MAC_WEP_IV_LENGTH);
|
||||
framelen + SIR_MAC_WEP_IV_LENGTH);
|
||||
|
||||
// Prepare IV
|
||||
pEncrBody[0] = seed[0];
|
||||
|
|
|
|||
|
|
@ -57,6 +57,13 @@
|
|||
#define LIM_ENCR_AUTH_BODY_LEN (sizeof(tSirMacAuthFrameBody) + \
|
||||
SIR_MAC_WEP_IV_LENGTH + \
|
||||
SIR_MAC_WEP_ICV_LENGTH)
|
||||
|
||||
|
||||
#define LIM_ENCR_AUTH_INFO_LEN (SIR_MAC_AUTH_FRAME_INFO_LEN +\
|
||||
SIR_MAC_WEP_IV_LENGTH + \
|
||||
SIR_MAC_WEP_ICV_LENGTH + \
|
||||
SIR_MAC_CHALLENGE_ID_LEN)
|
||||
|
||||
struct tLimPreAuthNode;
|
||||
|
||||
tANI_U8 limIsAuthAlgoSupported(tpAniSirGlobal, tAniAuthType, tpPESession);
|
||||
|
|
|
|||
|
|
@ -3114,8 +3114,8 @@ void
|
|||
limSendAuthMgmtFrame(tpAniSirGlobal pMac,
|
||||
tpSirMacAuthFrameBody pAuthFrameBody,
|
||||
tSirMacAddr peerMacAddr,
|
||||
tANI_U8 wepBit,
|
||||
tpPESession psessionEntry
|
||||
tANI_U8 wep_challenge_len,
|
||||
tpPESession psessionEntry
|
||||
)
|
||||
{
|
||||
tANI_U8 *pFrame, *pBody;
|
||||
|
|
@ -3130,8 +3130,8 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
|
|||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (wepBit == LIM_WEP_IN_FC)
|
||||
|
||||
if (wep_challenge_len)
|
||||
{
|
||||
/// Auth frame3 to be sent with encrypted framebody
|
||||
/**
|
||||
|
|
@ -3142,9 +3142,9 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
|
|||
* IV & ICV.
|
||||
*/
|
||||
|
||||
frameLen = sizeof(tSirMacMgmtHdr) + LIM_ENCR_AUTH_BODY_LEN;
|
||||
bodyLen = wep_challenge_len + LIM_ENCR_AUTH_INFO_LEN;
|
||||
frameLen = sizeof(tSirMacMgmtHdr) + bodyLen;
|
||||
|
||||
bodyLen = LIM_ENCR_AUTH_BODY_LEN;
|
||||
} // if (wepBit == LIM_WEP_IN_FC)
|
||||
else
|
||||
{
|
||||
|
|
@ -3269,7 +3269,11 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
|
|||
}
|
||||
|
||||
pMacHdr = ( tpSirMacMgmtHdr ) pFrame;
|
||||
pMacHdr->fc.wep = wepBit;
|
||||
if (wep_challenge_len)
|
||||
pMacHdr->fc.wep = LIM_WEP_IN_FC;
|
||||
else
|
||||
pMacHdr->fc.wep = LIM_NO_WEP_IN_FC;
|
||||
|
||||
|
||||
// Prepare BSSId
|
||||
if( (psessionEntry->limSystemRole == eLIM_AP_ROLE)|| (psessionEntry->limSystemRole == eLIM_BT_AMP_AP_ROLE) )
|
||||
|
|
@ -3282,7 +3286,7 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
|
|||
/// Prepare Authentication frame body
|
||||
pBody = pFrame + sizeof(tSirMacMgmtHdr);
|
||||
|
||||
if (wepBit == LIM_WEP_IN_FC)
|
||||
if (wep_challenge_len)
|
||||
{
|
||||
palCopyMemory( pMac->hHdd, pBody, (tANI_U8 *) pAuthFrameBody, bodyLen);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue