rpms/wpa_supplicant/F-8 wpa_supplicant-0.5.10-rsn-race-fix.patch, NONE, 1.1 wpa_supplicant-0.6.3-wext-scan-parser-crash-fix.patch, NONE, 1.1 wpa_supplicant-0.6.4-mac80211-mode-order-fix.patch, NONE, 1.1 wpa_supplicant.spec, 1.48, 1.49
Daniel Williams
dcbw at fedoraproject.org
Tue Sep 2 19:40:19 UTC 2008
Author: dcbw
Update of /cvs/extras/rpms/wpa_supplicant/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18676
Modified Files:
wpa_supplicant.spec
Added Files:
wpa_supplicant-0.5.10-rsn-race-fix.patch
wpa_supplicant-0.6.3-wext-scan-parser-crash-fix.patch
wpa_supplicant-0.6.4-mac80211-mode-order-fix.patch
Log Message:
* Tue Sep 2 2008 Dan Williams <dcbw at redhat.com> - 0.5.10-6
- Fix possible crash when parsing scan results
- Fix possible race condition when using RSN/WPA2
- Fix starting ad-hoc networks with mac80211-based drivers
wpa_supplicant-0.5.10-rsn-race-fix.patch:
--- NEW FILE wpa_supplicant-0.5.10-rsn-race-fix.patch ---
Backport of the following commit to 0.5.10:
commit 3e2ad1b932d827ddb038a5f9163bca766803811a
Author: Jouni Malinen <j at w1.fi>
Date: Mon Jun 9 16:26:47 2008 +0300
Fixed race condition between disassociation event and group key handshake
This avoids getting stuck in state where wpa_supplicant has canceled scans,
but the driver is actually in disassociated state. The previously used code
that controlled scan timeout from WPA module is not really needed anymore
(and has not been needed for past four years since authentication timeout
was separated from scan request timeout), so this can simply be removed to
resolved the race condition. As an extra bonus, this simplifies the
interface to WPA module.
[Bug 261]
diff -up wpa_supplicant-0.5.10/preauth_test.c.race-fix wpa_supplicant-0.5.10/preauth_test.c
--- wpa_supplicant-0.5.10/preauth_test.c.race-fix 2007-03-24 22:09:50.000000000 -0400
+++ wpa_supplicant-0.5.10/preauth_test.c 2008-08-29 13:31:40.000000000 -0400
@@ -44,12 +44,6 @@ struct preauth_test_data {
};
-static void _wpa_supplicant_req_scan(void *wpa_s, int sec, int usec)
-{
- wpa_supplicant_req_scan(wpa_s, sec, usec);
-}
-
-
static void _wpa_supplicant_disassociate(void *wpa_s, int reason_code)
{
wpa_supplicant_disassociate(wpa_s, reason_code);
@@ -254,7 +248,6 @@ static void wpa_init_conf(struct wpa_sup
ctx->ctx = wpa_s;
ctx->set_state = _wpa_supplicant_set_state;
ctx->get_state = _wpa_supplicant_get_state;
- ctx->req_scan = _wpa_supplicant_req_scan;
ctx->deauthenticate = _wpa_supplicant_deauthenticate;
ctx->disassociate = _wpa_supplicant_disassociate;
ctx->set_key = wpa_supplicant_set_key;
diff -up wpa_supplicant-0.5.10/wpa.c.race-fix wpa_supplicant-0.5.10/wpa.c
--- wpa_supplicant-0.5.10/wpa.c.race-fix 2008-02-17 19:10:46.000000000 -0500
+++ wpa_supplicant-0.5.10/wpa.c 2008-08-29 13:31:40.000000000 -0400
@@ -1567,7 +1567,6 @@ static void wpa_supplicant_key_neg_compl
MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
wpa_cipher_txt(sm->pairwise_cipher),
wpa_cipher_txt(sm->group_cipher));
- eloop_cancel_timeout(sm->ctx->scan, sm->ctx->ctx, NULL);
wpa_sm_cancel_auth_timeout(sm);
wpa_sm_set_state(sm, WPA_COMPLETED);
@@ -1904,7 +1903,6 @@ static void wpa_report_ie_mismatch(struc
}
wpa_sm_disassociate(sm, REASON_IE_IN_4WAY_DIFFERS);
- wpa_sm_req_scan(sm, 0, 0);
}
@@ -3798,7 +3796,6 @@ static void wpa_sm_pmksa_free_cb(struct
os_memset(sm->pmk, 0, sizeof(sm->pmk));
wpa_sm_deauthenticate(sm, REASON_UNSPECIFIED);
- wpa_sm_req_scan(sm, 0, 0);
}
}
diff -up wpa_supplicant-0.5.10/wpa.h.race-fix wpa_supplicant-0.5.10/wpa.h
--- wpa_supplicant-0.5.10/wpa.h.race-fix 2007-03-24 22:09:50.000000000 -0400
+++ wpa_supplicant-0.5.10/wpa.h 2008-08-29 13:31:40.000000000 -0400
@@ -59,7 +59,6 @@ struct wpa_sm_ctx {
void (*set_state)(void *ctx, wpa_states state);
wpa_states (*get_state)(void *ctx);
- void (*req_scan)(void *ctx, int sec, int usec);
void (*deauthenticate)(void * ctx, int reason_code);
void (*disassociate)(void *ctx, int reason_code);
int (*set_key)(void *ctx, wpa_alg alg,
diff -up wpa_supplicant-0.5.10/wpa_i.h.race-fix wpa_supplicant-0.5.10/wpa_i.h
--- wpa_supplicant-0.5.10/wpa_i.h.race-fix 2007-03-24 22:09:50.000000000 -0400
+++ wpa_supplicant-0.5.10/wpa_i.h 2008-08-29 13:31:40.000000000 -0400
@@ -146,11 +146,6 @@ static inline wpa_states wpa_sm_get_stat
return sm->ctx->get_state(sm->ctx->ctx);
}
-static inline void wpa_sm_req_scan(struct wpa_sm *sm, int sec, int usec)
-{
- sm->ctx->req_scan(sm->ctx->ctx, sec, usec);
-}
-
static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, int reason_code)
{
sm->ctx->deauthenticate(sm->ctx->ctx, reason_code);
diff -up wpa_supplicant-0.5.10/wpa_supplicant.c.race-fix wpa_supplicant-0.5.10/wpa_supplicant.c
--- wpa_supplicant-0.5.10/wpa_supplicant.c.race-fix 2008-08-29 13:31:40.000000000 -0400
+++ wpa_supplicant-0.5.10/wpa_supplicant.c 2008-08-29 13:32:55.000000000 -0400
@@ -362,7 +362,6 @@ static void wpa_supplicant_notify_eapol_
if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
wpa_supplicant_set_state(wpa_s, WPA_4WAY_HANDSHAKE);
} else {
- eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL);
wpa_supplicant_cancel_auth_timeout(wpa_s);
wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
}
@@ -1817,12 +1816,6 @@ static int _wpa_ether_send(void *wpa_s,
}
-static void _wpa_supplicant_req_scan(void *wpa_s, int sec, int usec)
-{
- wpa_supplicant_req_scan(wpa_s, sec, usec);
-}
-
-
static void _wpa_supplicant_cancel_auth_timeout(void *wpa_s)
{
wpa_supplicant_cancel_auth_timeout(wpa_s);
@@ -1844,12 +1837,16 @@ static wpa_states _wpa_supplicant_get_st
static void _wpa_supplicant_disassociate(void *wpa_s, int reason_code)
{
wpa_supplicant_disassociate(wpa_s, reason_code);
+ /* Schedule a scan to make sure we continue looking for networks */
+ wpa_supplicant_req_scan(wpa_s, 0, 0);
}
static void _wpa_supplicant_deauthenticate(void *wpa_s, int reason_code)
{
wpa_supplicant_deauthenticate(wpa_s, reason_code);
+ /* Schedule a scan to make sure we continue looking for networks */
+ wpa_supplicant_req_scan(wpa_s, 0, 0);
}
@@ -2227,7 +2224,6 @@ static int wpa_supplicant_init_wpa(struc
ctx->ctx = wpa_s;
ctx->set_state = _wpa_supplicant_set_state;
ctx->get_state = _wpa_supplicant_get_state;
- ctx->req_scan = _wpa_supplicant_req_scan;
ctx->deauthenticate = _wpa_supplicant_deauthenticate;
ctx->disassociate = _wpa_supplicant_disassociate;
ctx->set_key = wpa_supplicant_set_key;
wpa_supplicant-0.6.3-wext-scan-parser-crash-fix.patch:
--- NEW FILE wpa_supplicant-0.6.3-wext-scan-parser-crash-fix.patch ---
Inspired by the following commit; the rest of the patch for custom scan
event processing does not apply to wpa_supplicant 0.5.10.
commit fd630bc183fb79d0a14b5f3a346544f3d277bd05
Author: Jouni Malinen <jouni.malinen at atheros.com>
Date: Wed Aug 27 09:52:16 2008 +0300
Fixed WEXT scan result parser to not crash on invalid IEs (zero len buffer)
If IWEVGENIE or custom event wpa_ie/rsn_ie is received in scan with empty
buffer, the previous version ended up calling realloc(NULL, 0) which seems
to return a non-NULL value in some cases. When this return value is passed
again into realloc with realloc(ptr, 0), the returned value could be NULL.
If the ptr is then freed (os_free(data.ie) in SIOCGIWAP handling), glibc
may crash due to invalid pointer being freed (or double-freed?). The
non-NULL realloc(NULL, 0) return value from glibc looks a bit odd behavior,
but anyway, better avoid this case completely and just skip the IE events
that have an empty buffer.
This issue should not show up with drivers that produce proper scan results
since the IEs will always include the two-octet header. However, it seems
to be possible to see this when using 64-bit kernel and 32-bit userspace
with incorrect compat-ioctl processing.
diff -up wpa_supplicant-0.5.10/driver_wext.c.scan-parse-crash wpa_supplicant-0.5.10/driver_wext.c
--- wpa_supplicant-0.5.10/driver_wext.c.scan-parse-crash 2008-08-29 11:16:09.000000000 -0400
+++ wpa_supplicant-0.5.10/driver_wext.c 2008-08-29 11:17:43.000000000 -0400
@@ -1302,6 +1302,8 @@ int wpa_driver_wext_get_scan_results(voi
case IWEVGENIE:
if (ap_num >= max_size)
break;
+ if (iwe->u.data.length == 0)
+ break;
gpos = genie = custom;
gend = genie + iwe->u.data.length;
if (gend > end) {
wpa_supplicant-0.6.4-mac80211-mode-order-fix.patch:
--- NEW FILE wpa_supplicant-0.6.4-mac80211-mode-order-fix.patch ---
diff -up wpa_supplicant-0.5.10/driver.h.mode-order-fix wpa_supplicant-0.5.10/driver.h
--- wpa_supplicant-0.5.10/driver.h.mode-order-fix 2007-03-24 22:09:49.000000000 -0400
+++ wpa_supplicant-0.5.10/driver.h 2008-08-29 19:07:47.000000000 -0400
@@ -469,6 +469,15 @@ struct wpa_driver_ops {
*/
int (*disassociate)(void *priv, const u8 *addr, int reason_code);
+ /**
+ * associate - Request driver to set the operating mode
+ * @priv: private driver interface data
+ * @mode: Operation mode (infra/ibss) IEEE80211_MODE_*
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+ int (*set_mode)(void *priv, int mode);
+
/**
* associate - Request driver to associate
* @priv: private driver interface data
diff -up wpa_supplicant-0.5.10/driver_test.c.mode-order-fix wpa_supplicant-0.5.10/driver_test.c
--- wpa_supplicant-0.5.10/driver_test.c.mode-order-fix 2007-12-27 19:21:09.000000000 -0500
+++ wpa_supplicant-0.5.10/driver_test.c 2008-08-29 19:07:47.000000000 -0400
@@ -901,6 +901,7 @@ const struct wpa_driver_ops wpa_driver_t
wpa_driver_test_get_scan_results,
wpa_driver_test_deauthenticate,
wpa_driver_test_disassociate,
+ NULL /* set_mode */,
wpa_driver_test_associate,
NULL /* set_auth_alg */,
NULL /* add_pmkid */,
diff -up wpa_supplicant-0.5.10/driver_wext.c.mode-order-fix wpa_supplicant-0.5.10/driver_wext.c
--- wpa_supplicant-0.5.10/driver_wext.c.mode-order-fix 2008-08-29 19:07:47.000000000 -0400
+++ wpa_supplicant-0.5.10/driver_wext.c 2008-08-29 19:07:47.000000000 -0400
@@ -1839,8 +1839,6 @@ wpa_driver_wext_associate(void *priv,
wpa_driver_wext_set_bssid(drv, NULL) < 0)
ret = -1;
- if (wpa_driver_wext_set_mode(drv, params->mode) < 0)
- ret = -1;
/* TODO: should consider getting wpa version and cipher/key_mgmt suites
* from configuration, not from here, where only the selected suite is
* available */
@@ -2398,6 +2396,7 @@ const struct wpa_driver_ops wpa_driver_w
.get_scan_results = wpa_driver_wext_get_scan_results,
.deauthenticate = wpa_driver_wext_deauthenticate,
.disassociate = wpa_driver_wext_disassociate,
+ .set_mode = wpa_driver_wext_set_mode,
.associate = wpa_driver_wext_associate,
.set_auth_alg = wpa_driver_wext_set_auth_alg,
.init = wpa_driver_wext_init,
diff -up wpa_supplicant-0.5.10/wpa_supplicant.c.mode-order-fix wpa_supplicant-0.5.10/wpa_supplicant.c
--- wpa_supplicant-0.5.10/wpa_supplicant.c.mode-order-fix 2008-08-29 19:07:47.000000000 -0400
+++ wpa_supplicant-0.5.10/wpa_supplicant.c 2008-08-29 19:07:47.000000000 -0400
@@ -1379,6 +1379,11 @@ void wpa_supplicant_associate(struct wpa
* previous association. */
wpa_sm_set_assoc_wpa_ie(wpa_s->wpa, NULL, 0);
+ if (wpa_drv_set_mode(wpa_s, ssid->mode)) {
+ wpa_printf(MSG_WARNING, "Failed to set operating mode");
+ assoc_failed = 1;
+ }
+
#ifdef IEEE8021X_EAPOL
if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
if (ssid->leap) {
diff -up wpa_supplicant-0.5.10/wpa_supplicant_i.h.mode-order-fix wpa_supplicant-0.5.10/wpa_supplicant_i.h
--- wpa_supplicant-0.5.10/wpa_supplicant_i.h.mode-order-fix 2007-12-27 19:50:15.000000000 -0500
+++ wpa_supplicant-0.5.10/wpa_supplicant_i.h 2008-08-29 19:07:47.000000000 -0400
@@ -460,6 +460,14 @@ static inline int wpa_drv_set_wpa(struct
return 0;
}
+static inline int wpa_drv_set_mode(struct wpa_supplicant *wpa_s, int mode)
+{
+ if (wpa_s->driver->set_mode) {
+ return wpa_s->driver->set_mode(wpa_s->drv_priv, mode);
+ }
+ return 0;
+}
+
static inline int wpa_drv_associate(struct wpa_supplicant *wpa_s,
struct wpa_driver_associate_params *params)
{
Index: wpa_supplicant.spec
===================================================================
RCS file: /cvs/extras/rpms/wpa_supplicant/F-8/wpa_supplicant.spec,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- wpa_supplicant.spec 11 Jun 2008 11:12:58 -0000 1.48
+++ wpa_supplicant.spec 2 Sep 2008 19:39:48 -0000 1.49
@@ -2,7 +2,7 @@
Name: wpa_supplicant
Epoch: 1
Version: 0.5.10
-Release: 5%{?dist}
+Release: 6%{?dist}
License: BSD
Group: System Environment/Base
Source0: http://hostap.epitest.fi/releases/%{name}-%{version}.tar.gz
@@ -21,10 +21,19 @@
Patch4: wpa_supplicant-0.5.7-use-IW_ENCODE_TEMP.patch
Patch5: wpa_supplicant-0.5.10-dbus-service-file.patch
Patch6: wpa_supplicant-0.5.10-default-log-file.patch
+# Upstream in 0.6.x
Patch7: wpa_supplicant-0.6.3-wext-dont-overwrite-BSS-frequency.patch
+# Upstream in 0.6.x
Patch8: wpa_supplicant-0.6.3-dont-reschedule-specific-scans.patch
+# Upstream in 0.6.x
Patch9: wpa_supplicant-0.6.3-wext-handle-mac80211-mode-switches.patch
+# Upstream in 0.6.x
Patch10: wpa_supplicant-0.6.3-wpa-gui-fixes.patch
+# Backported from 0.6.x
+Patch11: wpa_supplicant-0.6.3-wext-scan-parser-crash-fix.patch
+# Backported from 0.6.x
+Patch12: wpa_supplicant-0.5.10-rsn-race-fix.patch
+Patch13: wpa_supplicant-0.6.4-mac80211-mode-order-fix.patch
URL: http://w1.fi/wpa_supplicant/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -63,6 +72,9 @@
%patch8 -p3 -b .ssid-scans
%patch9 -p3 -b .mac80211-mode
%patch10 -p1 -b .wpa-gui-fixes
+%patch11 -p1 -b .scan-parse-crash
+%patch12 -p1 -b .rsn-race-fix
+%patch13 -p1 -b .mode-order-fix
%build
cp %{SOURCE1} ./.config
@@ -70,7 +82,8 @@
CFLAGS="${CFLAGS:-%optflags}" ; export CFLAGS ;
CXXFLAGS="${CXXFLAGS:-%optflags}" ; export CXXFLAGS ;
make %{_smp_mflags}
-QTDIR=%{_libdir}/qt-3.3 make wpa_gui %{_smp_mflags}
+unset QTDIR && . /etc/profile.d/qt.sh
+make wpa_gui %{_smp_mflags}
%install
rm -rf %{buildroot}
@@ -151,6 +164,11 @@
%{_bindir}/wpa_gui
%changelog
+* Tue Sep 2 2008 Dan Williams <dcbw at redhat.com> - 0.5.10-6
+- Fix possible crash when parsing scan results
+- Fix possible race condition when using RSN/WPA2
+- Fix starting ad-hoc networks with mac80211-based drivers
+
* Wed Jun 11 2008 Dan Williams <dcbw at redhat.com> - 0.5.10-5
- Fix 802.11a frequency bug
- Always schedule specific SSID scans to help find hidden APs
More information about the fedora-extras-commits
mailing list