aboutsummaryrefslogtreecommitdiffstats
path: root/src/l2_packet
Commit message (Collapse)AuthorAgeFilesLines
* wpa_supplicant: Don't reply to EAPOL if pkt_type is PACKET_OTHERHOSTDavide Caratti2018-04-022-0/+24
| | | | | | | | | | | | | | When wpa_supplicant is running on a Linux interface that is configured in promiscuous mode, and it is not a member of a bridge, incoming EAPOL packets are processed regardless of the Destination Address in the frame. As a consequence, there are situations where wpa_supplicant replies to EAPOL packets that are not destined for it. This behavior seems undesired (see IEEE Std 802.1X-2010, 11.4.a), and can be avoided by attaching a BPF filter that lets the kernel discard packets having pkt_type equal to PACKET_OTHERHOST. Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
* tests: Add TEST_FAIL() checks in l2_packetJouni Malinen2017-03-041-0/+6
| | | | | | This enables additional test coverage for error paths. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove trailing whitespaceJouni Malinen2016-12-281-2/+2
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* l2_packet: Extend bridge workaround RX processing to cover two framesJouni Malinen2016-01-071-1/+17
| | | | | | | | | | | | | | | | | | | | | There was a race condition in how the l2_packet sockets got read that could result in the same socket (e.g., non-bridge) to process both the EAP-Success and the immediately following EAPOL-Key msg 1/4 instead of each frame going in alternative order between the bridge and non-bridge sockets. This could be hit, e.g., if the wpa_supplicant process did not have enough CPU to process all the incoming frames without them getting buffered and both sockets reporting frames simultaneously. This resulted in the duplicated EAP-Success frame getting delivered twice for processing and likely also the EAPOL-Key msg 1/4 getting processed twice. While the latter does not do much harm, the former did clear the EAP authentication state and could result in issues. Fix this by extended the l2_packet Linux packet socket workaround for bridge to check for duplicates against the last two received frames instead of just the last one. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* l2_packet: Improve bridge workaround RX processingJouni Malinen2016-01-061-0/+5
| | | | | | | | | | | | | | | It was possible for the packet socket on the bridge interface to receive own transmitted frames between the bridge and non-bridge sockets receiving the same incoming frame from a foreign host. This resulted in the hash checksum validation step failing to notice a duplicate RX due to the own frame updating the store hash value. The own frame did get dropping in RX EAPOL processing, but that was too late to address the issue with duplicate RX. Fix this by dropping own frames already in l2_packet layer before checking and updating the last RX hash value. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix wpa_supplicant build with CONFIG_L2_PACKET=pcapJouni Malinen2016-01-011-0/+12
| | | | | | | | | | | Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux packet socket regression') forgot to add the l2_packet_init_bridge() wrapper for l2_packet_pcap.c while updating all the other l2_packet options. This resulted in wpa_supplicant build failing due to missing l2_packet_init_bridge() function when using CONFIG_L2_PACKET=pcap in wpa_supplicant/.config. Fix this by adding the wrapper function. Signed-off-by: Jouni Malinen <j@w1.fi>
* l2_packet: Add build option to disable Linux packet socket workaroundMohammed Shafi Shajakhan2015-10-251-2/+15
| | | | | | | | | | | | | | | | | | | | | | | Linux packet socket workaround(*) has an impact in performance when the workaround socket needs to be kept open to receive EAPOL frames. While this is normally avoided with a kernel that has the issue addressed by closing the workaround packet socket when detecting a frame through the main socket, it is possible for that mechanism to not be sufficient, e.g., when an open network connection (no EAPOL frames) is used. Add a build option (CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y) to disable the workaround. This build option is disabled by default and can be enabled explicitly on distributions which have an older kernel or a fix for the kernel regression. Also remove the unused variable num_rx. (*) Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596 ('bridge: respect RFC2863 operational state') from 2012 introduced a regression for using wpa_supplicant with EAPOL frames and a station interface in a bridge. Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
* tests: Add eapol-fuzzerJouni Malinen2015-04-221-3/+11
| | | | | | | This program can be used to run fuzzing tests for areas related to EAPOL frame parsing and processing on the supplicant side. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix Linux packet socket workaround to not close the socket too easilyJouni Malinen2015-02-221-5/+55
| | | | | | | | | | | | | | | | | | | | | | Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux packet socket regression') closed the workaround socket on the first received EAPOL frame from the main packet socket. This can result in closing the socket in cases where the kernel does not really work in the expected way during the following initial association since reauthentication/rekeying using EAPOL frames happens while operstate is not dormant and as such, the frames can get delivered through the main packet socket. Fix this by closing the workaround socket only in case the first EAPOL frame is received through the main packet socket. This case happens while the interface is in dormant state and as such, is more likely to show the more restricted case of kernel functionality. In order to avoid processing the received EAPOL frames twice, verify a checksum of the frame contents when receiving frames alternatively from the main packet socket and the workaround socket. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix Linux packat socket regression work aroundJouni Malinen2015-02-071-2/+2
| | | | | | | | | | | | Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux packet socket regression') added a mechanism to close the workaround bridge socket in l2_packet_receive(). However, it did not take into account the possibility of the l2->rx_callback() closing the l2_packet socket altogether. This could result in use of freed memory when usin RSN pre-authentication. Fix this by reordering the calls to clear the workaround socket before calling the rx_callback. Signed-off-by: Jouni Malinen <j@w1.fi>
* Work around Linux packet socket regressionJouni Malinen2015-01-317-2/+195
| | | | | | | | | | | | | | | | | | | | | | | | Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596 ('bridge: respect RFC2863 operational state') from 2012 introduced a regression for using wpa_supplicant with EAPOL frames and a station interface in a bridge. Since it does not look like this regression is going to get fixed any time soon (it is already two years from that commit and over 1.5 from a discussion pointing out the regression), add a workaround in wpa_supplicant to avoid this issue. The wpa_supplicant workaround uses a secondary packet socket to capture all frames (ETH_P_ALL) from the netdev that is in a bridge. This is needed to avoid the kernel regression. However, this comes at the price of more CPU load. Some of this is avoided with use of Linux socket filter, but still, this is less efficient than a packet socket bound to the specific EAPOL ethertype. The workaround gets disabled automatically, if the main packet socket interface on the bridge interface turns out to be working for RX (e.g., due to an old kernel version being used or a new kernel version having a fix for the regression). In addition, this workaround is only taken into use for the special case of running wpa_supplicant with an interface in a bridge. Signed-off-by: Jouni Malinen <j@w1.fi>
* Clean up debug prints to use wpa_printf()Jouni Malinen2014-12-262-12/+16
| | | | | | | This converts most of the remaining perror() and printf() calls from hostapd and wpa_supplicant to use wpa_printf(). Signed-off-by: Jouni Malinen <j@w1.fi>
* proxyarp: Do not limit NDISC snoop packet size to 150Jouni Malinen2014-11-281-2/+2
| | | | | | | The RA, NS, and NA packets may be longer, so do not arbitrarily limit the packet socket capture size to 150 bytes in the socket filter. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* l2_packet: Add support for NDISC packet filter in l2_packet_linuxKyeyoon Park2014-11-192-0/+22
| | | | Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
* l2_packet: Add support for DHCP packet filter in l2_packet_linuxKyeyoon Park2014-10-277-0/+103
| | | | Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
* l2_packet: Fix l2_packet_none (hostapd default)Jouni Malinen2014-04-141-1/+2
| | | | | | | | | | | | | | The sample code here ended up trying to register an eloop socket with fd == -1. This was not really ever supposed to be used, but it is now also hitting an assert in eloop. Skip the unnecessary eloop_register_read_sock() to avoid this. This was causing issues for hostapd since CONFIG_L2_PACKET is not set by default. If CONFIG_RSN_PREAUTH=y was not used for CONFIG_L2_PACKET was not set in .config explicitly, the defaul use of l2_packet_none.c ended up hitting the newly added assert() in eloop. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add CONFIG_CODE_COVERAGE=y option for gcovJouni Malinen2013-11-241-1/+1
| | | | | | This can be used to measure code coverage from test scripts. Signed-hostap: Jouni Malinen <j@w1.fi>
* Update license notification in files initially contributed by SamJouni Malinen2012-06-301-8/+2
| | | | | | | | This updates these files to use the license notification that uses only the BSD license. The changes were acknowledged by email (Sam Leffler <sam@errno.com>, Sat, 30 Jun 2012 07:57:53 -0700). Signed-hostap: Jouni Malinen <j@w1.fi>
* Make bind failure messages uniqueBen Greear2012-04-061-1/+1
| | | | | | This helps someone know which part of the code is complaining. Signed-hostap: Ben Greear <greearb@candelatech.com>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-117-56/+14
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* l2_packet: Use wpa_printf() instead of perror()Jouni Malinen2010-11-241-10/+20
|
* l2_packet_ndis: Fix overlapped write not to corrupt stackJouni Malinen2010-09-021-5/+11
| | | | | | | | | When using overlapped write, we must have the provided memory areas available during the operation and cannot just use stack unless we wait for the completion within the function. In the case of TX here, we can easily wait for the completion since it is likely to happen immediately. In addition, this provides more reliable success/failure return value for l2_packet_send(). [Bug 328]
* Solaris: Add support for wired IEEE 802.1X clientMasashi Honma2010-08-281-0/+31
| | | | | | | | | This patch adds support for wired IEEE 802.1X client on the Solaris. I have tested with these: OS : OpenSolaris 2009.06 EAP : EAP-MD5 Switch : Cisco Catalyst 2950
* Remove unnecessary SUBDIRS loops from src/*/MakefileJouni Malinen2010-04-171-1/+0
| | | | | | There are no subdirectories in any of these directories or plans for adding ones. As such, there is no point in running the loop that does not do anything and can cause problems with some shells.
* wpa_supplicant: fix FTBFS on Debian GNU/kFreeBSDKel Modderman2010-03-061-1/+1
| | | | | | | | This patch allows wpa_supplicant to compile on Debian's kfreebsd architectures. Patch by Stefan Lippers-Hollmann based on work done by Petr Salinger and Emmanuel Bouthenot for 0.6.X (http://bugs.debian.org/480572).
* Remove src/common from default header file pathJouni Malinen2009-11-291-1/+1
| | | | | | | | | | This makes it clearer which files are including header from src/common. Some of these cases should probably be cleaned up in the future not to do that. In addition, src/common/nl80211_copy.h and wireless_copy.h were moved into src/drivers since they are only used by driver wrappers and do not need to live in src/common.
* Work around some gcc 4.4 strict-aliasing warningsJouni Malinen2009-11-041-1/+1
| | | | | | | | | | gcc 4.4 ends up generating strict-aliasing warnings about some very common networking socket uses that do not really result in a real problem and cannot be easily avoided with union-based type-punning due to struct definitions including another struct in system header files. To avoid having to fully disable strict-aliasing warnings, provide a mechanism to hide the typecast from aliasing for now. A cleaner solution will hopefully be found in the future to handle these cases.
* Add root .gitignore file to cleanup ignore listsJouni Malinen2009-06-291-1/+0
| | | | | | This removes need for local configuration to ignore *.o and *~ and allows the src/*/.gitignore files to be removed (subdirectories will inherit the rules from the root .gitignore).
* Zero struct ifreq data before use in l2_packet_init()Larry Stefani2009-03-131-0/+1
| | | | [Bug 300]
* Improved 'make install' (use BINDIR/LIBDIR, install shared objects)Daniel Mierswa2009-02-151-0/+3
|
* Added endianness annotation for sparseJouni Malinen2009-01-031-1/+1
|
* Ported driver_test to Windows (only UDP socket available)Jouni Malinen2008-12-121-1/+2
|
* Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 releaseJouni Malinen2008-02-2810-0/+2253