qcacld-2.0: Fix incorrect length of encrypted auth frame

Memory for encrypted auth frame is allocated based on macro SIR_MAC_AUTH_CHALLENGE_LENGTH. SIR_MAC_AUTH_CHALLENGE_LENGTH was updated to 253 from 128. Auth failure is observed on receiving challenge text of length 128. Fix is to use length based on the challenge text received. Change-Id: I9a8b1a05d36421cfab2bf699fe38c50e150cf464 CRs-Fixed: 2100554 Bug: 67030205 Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
2017-12-06 11:13:11 -08:00 · 2017-12-06 11:13:11 -08:00 · b40d05a047
parent c58b4a7a63
commit b40d05a047
5 changed files with 52 additions and 15 deletions
--- a/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h
+++ b/drivers/staging/prima/CORE/MAC/inc/sirMacProtDef.h
@ -582,6 +582,10 @@
 #define SIR_MAC_AUTH_CHALLENGE_LENGTH        253
 #define SIR_MAC_WEP_IV_LENGTH                4
 #define SIR_MAC_WEP_ICV_LENGTH               4
+#define SIR_MAC_CHALLENGE_ID_LEN             2
+
+/* 2 bytes each for auth algo number, transaction number and status code */
+#define SIR_MAC_AUTH_FRAME_INFO_LEN          6

 /// MAX key length when ULA is used
 #define SIR_MAC_MAX_KEY_LENGTH               32
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessAuthFrame.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessAuthFrame.c
@ -1237,10 +1237,18 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
                                sirSwapU16ifNeeded((tANI_U16) (pRxAuthFrameBody->authTransactionSeqNumber + 1));
                                ((tpSirMacAuthFrameBody) plainBody)->authStatusCode = eSIR_MAC_SUCCESS_STATUS;
                                ((tpSirMacAuthFrameBody) plainBody)->type   = SIR_MAC_CHALLENGE_TEXT_EID;
-                                ((tpSirMacAuthFrameBody) plainBody)->length = SIR_MAC_AUTH_CHALLENGE_LENGTH;
+                                ((tpSirMacAuthFrameBody) plainBody)->length = pRxAuthFrameBody->length;
                                palCopyMemory( pMac->hHdd, (tANI_U8 *) ((tpSirMacAuthFrameBody) plainBody)->challengeText,
                                              pRxAuthFrameBody->challengeText,
-                                              SIR_MAC_AUTH_CHALLENGE_LENGTH);
+                                              pRxAuthFrameBody->length);
+                                encrAuthFrame = vos_mem_malloc(pRxAuthFrameBody->length +
+                                                               LIM_ENCR_AUTH_INFO_LEN);
+                                if (!encrAuthFrame) {
+                                    limLog(pMac, LOGE, FL("failed to allocate memory"));
+                                    goto free;
+                                }
+                                vos_mem_set(encrAuthFrame, pRxAuthFrameBody->length +
+                                            LIM_ENCR_AUTH_INFO_LEN, 0);

                                limEncryptAuthFrame(pMac, 0,
                                                    pKeyMapEntry->key,
@ -1253,7 +1261,8 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
                                limSendAuthMgmtFrame(pMac,
                                                     (tpSirMacAuthFrameBody) encrAuthFrame,
                                                     pHdr->sa,
-                                                     LIM_WEP_IN_FC,psessionEntry);
+                                                     pRxAuthFrameBody->length,
+                                                     psessionEntry);

                                break;
                            } // end if (pKeyMapEntry->key == NULL)
@ -1315,10 +1324,19 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
                                sirSwapU16ifNeeded((tANI_U16) (pRxAuthFrameBody->authTransactionSeqNumber + 1));
                                ((tpSirMacAuthFrameBody) plainBody)->authStatusCode = eSIR_MAC_SUCCESS_STATUS;
                                ((tpSirMacAuthFrameBody) plainBody)->type   = SIR_MAC_CHALLENGE_TEXT_EID;
-                                ((tpSirMacAuthFrameBody) plainBody)->length = SIR_MAC_AUTH_CHALLENGE_LENGTH;
+                                ((tpSirMacAuthFrameBody) plainBody)->length = pRxAuthFrameBody->length;
                                palCopyMemory( pMac->hHdd, (tANI_U8 *) ((tpSirMacAuthFrameBody) plainBody)->challengeText,
                                              pRxAuthFrameBody->challengeText,
-                                              SIR_MAC_AUTH_CHALLENGE_LENGTH);
+                                              pRxAuthFrameBody->length);
+
+                                encrAuthFrame = vos_mem_malloc(pRxAuthFrameBody->length +
+                                                               LIM_ENCR_AUTH_INFO_LEN);
+                                if (!encrAuthFrame) {
+                                    limLog(pMac, LOGE, FL("failed to allocate memory"));
+                                    goto free;
+                                }
+                                vos_mem_set(encrAuthFrame, pRxAuthFrameBody->length +
+                                            LIM_ENCR_AUTH_INFO_LEN, 0);

                                limEncryptAuthFrame(pMac, keyId,
                                                    defaultKey,
@ -1332,7 +1350,8 @@ limProcessAuthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession pse
                                limSendAuthMgmtFrame(pMac,
                                                     (tpSirMacAuthFrameBody) encrAuthFrame,
                                                     pHdr->sa,
-                                                     LIM_WEP_IN_FC,psessionEntry);
+                                                     pRxAuthFrameBody->length,
+                                                     psessionEntry);

                                break;
                        } // end if (pKeyMapEntry)
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.c
@ -557,7 +557,10 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 *
                    tANI_U8 *pEncrBody, tANI_U32 keyLength)
 {
    tANI_U8  seed[LIM_SEED_LENGTH], icv[SIR_MAC_WEP_ICV_LENGTH];
+    tANI_U16 framelen;

+    framelen = ((tpSirMacAuthFrameBody)pPlainText)->length +
+                 SIR_MAC_AUTH_FRAME_INFO_LEN + SIR_MAC_CHALLENGE_ID_LEN;
    keyLength += 3;

    // Bytes 0-2 of seed is IV
@ -576,7 +579,7 @@ limEncryptAuthFrame(tpAniSirGlobal pMac, tANI_U8 keyId, tANI_U8 *pKey, tANI_U8 *
    // Run RC4 on plain text with the seed
    limRC4(pEncrBody + SIR_MAC_WEP_IV_LENGTH,
           (tANI_U8 *) pPlainText, seed, keyLength,
-           LIM_ENCR_AUTH_BODY_LEN - SIR_MAC_WEP_IV_LENGTH);
+           framelen + SIR_MAC_WEP_IV_LENGTH);

    // Prepare IV
    pEncrBody[0] = seed[0];
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSecurityUtils.h
@ -57,6 +57,13 @@
 #define LIM_ENCR_AUTH_BODY_LEN  (sizeof(tSirMacAuthFrameBody) + \
                                SIR_MAC_WEP_IV_LENGTH + \
                                SIR_MAC_WEP_ICV_LENGTH)
+                                
+
+#define LIM_ENCR_AUTH_INFO_LEN  (SIR_MAC_AUTH_FRAME_INFO_LEN +\
+                                 SIR_MAC_WEP_IV_LENGTH + \
+                                 SIR_MAC_WEP_ICV_LENGTH + \
+                                 SIR_MAC_CHALLENGE_ID_LEN)
+
 struct tLimPreAuthNode;

 tANI_U8        limIsAuthAlgoSupported(tpAniSirGlobal, tAniAuthType, tpPESession);
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limSendManagementFrames.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limSendManagementFrames.c
@ -3114,8 +3114,8 @@ void
 limSendAuthMgmtFrame(tpAniSirGlobal pMac,
                     tpSirMacAuthFrameBody pAuthFrameBody,
                     tSirMacAddr           peerMacAddr,
-                     tANI_U8               wepBit,
-                     tpPESession           psessionEntry 
+                     tANI_U8               wep_challenge_len,
+                     tpPESession           psessionEntry
                                                       )
 {
    tANI_U8            *pFrame, *pBody;
@ -3130,8 +3130,8 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
    {
        return;
    }
-      
-    if (wepBit == LIM_WEP_IN_FC)
+
+    if (wep_challenge_len)
    {
        /// Auth frame3 to be sent with encrypted framebody
        /**
@ -3142,9 +3142,9 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
         * IV & ICV.
         */

-        frameLen = sizeof(tSirMacMgmtHdr) + LIM_ENCR_AUTH_BODY_LEN;
+        bodyLen = wep_challenge_len + LIM_ENCR_AUTH_INFO_LEN;
+        frameLen = sizeof(tSirMacMgmtHdr) + bodyLen;

-        bodyLen = LIM_ENCR_AUTH_BODY_LEN;
    } // if (wepBit == LIM_WEP_IN_FC)
    else
    {
@ -3269,7 +3269,11 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
    }

    pMacHdr = ( tpSirMacMgmtHdr ) pFrame;
-    pMacHdr->fc.wep = wepBit;
+    if (wep_challenge_len)
+        pMacHdr->fc.wep = LIM_WEP_IN_FC;
+    else
+        pMacHdr->fc.wep = LIM_NO_WEP_IN_FC;
+

    // Prepare BSSId
    if(  (psessionEntry->limSystemRole == eLIM_AP_ROLE)|| (psessionEntry->limSystemRole == eLIM_BT_AMP_AP_ROLE) )
@ -3282,7 +3286,7 @@ limSendAuthMgmtFrame(tpAniSirGlobal pMac,
    /// Prepare Authentication frame body
    pBody    = pFrame + sizeof(tSirMacMgmtHdr);

-    if (wepBit == LIM_WEP_IN_FC)
+    if (wep_challenge_len)
    {
        palCopyMemory( pMac->hHdd, pBody, (tANI_U8 *) pAuthFrameBody, bodyLen);