[PATCH v3 2/9] dpp: fix config request header check

public inbox for iwd@lists.linux.dev
 help / color / mirror / Atom feed

From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH v3 2/9] dpp: fix config request header check
Date: Tue, 31 Oct 2023 11:47:43 -0700	[thread overview]
Message-ID: <20231031184750.722404-3-prestwoj@gmail.com> (raw)
In-Reply-To: <20231031184750.722404-1-prestwoj@gmail.com>

The check for the header was incorrect according to the spec.
Table 58 indicates that the "Query Response Info" should be set
to 0x00 for the configuration request. The frame handler was
expecting 0x7f which is the value for the config response frame.

Unfortunately wpa_supplicant also gets this wrong and uses 0x7f
in all cases which is likely why this value was set incorrectly
in IWD. The issue is that IWD's config request is correct which
means IWD<->IWD configuration is broken. (and wpa_supplicant as
a configurator likely doesn't validate the config request).

Fix this by checking both 0x7f and 0x00 to handle both
supplicants.
---
 src/dpp.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/dpp.c b/src/dpp.c
index cfdfaa38..dcf5953f 100644
--- a/src/dpp.c
+++ b/src/dpp.c
@@ -920,6 +920,21 @@ static void dpp_send_config_response(struct dpp_sm *dpp, uint8_t status)
 	dpp_send_frame(dpp, iov, 2, dpp->current_freq);
 }
 
+static bool dpp_check_config_header(const uint8_t *ptr)
+{
+	/*
+	 * Table 58. General Format of DPP Configuration Request frame
+	 *
+	 * Unfortunately wpa_supplicant hard codes 0x7f as the Query Response
+	 * Info so we need to handle both cases.
+	 */
+	return ptr[0] == IE_TYPE_ADVERTISEMENT_PROTOCOL &&
+			ptr[1] == 0x08 &&
+			(ptr[2] == 0x7f || ptr[2] == 0x00) &&
+			ptr[3] == IE_TYPE_VENDOR_SPECIFIC &&
+			ptr[4] == 5;
+}
+
 static void dpp_handle_config_request_frame(const struct mmpdu_header *frame,
 				const void *body, size_t body_len,
 				int rssi, void *user_data)
@@ -937,8 +952,6 @@ static void dpp_handle_config_request_frame(const struct mmpdu_header *frame,
 	const uint8_t *e_nonce = NULL;
 	size_t wrapped_len = 0;
 	_auto_(l_free) uint8_t *unwrapped = NULL;
-	uint8_t hdr_check[] = { IE_TYPE_ADVERTISEMENT_PROTOCOL, 0x08, 0x7f,
-				IE_TYPE_VENDOR_SPECIFIC, 5 };
 	struct json_iter jsiter;
 	_auto_(l_free) char *tech = NULL;
 	_auto_(l_free) char *role = NULL;
@@ -965,10 +978,10 @@ static void dpp_handle_config_request_frame(const struct mmpdu_header *frame,
 
 	dpp->diag_token = *ptr++;
 
-	if (memcmp(ptr, hdr_check, sizeof(hdr_check)))
+	if (!dpp_check_config_header(ptr))
 		return;
 
-	ptr += sizeof(hdr_check);
+	ptr += 5;
 
 	if (memcmp(ptr, wifi_alliance_oui, sizeof(wifi_alliance_oui)))
 		return;
-- 
2.25.1

next prev parent reply	other threads:[~2023-10-31 18:48 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-31 18:47 [PATCH v3 0/9] DPP PKEX Changes James Prestwood
2023-10-31 18:47 ` [PATCH v3 1/9] dpp: remove scan_periodic_stop calls James Prestwood
2023-11-03  1:40   ` Denis Kenzior
2023-10-31 18:47 ` James Prestwood [this message]
2023-10-31 18:47 ` [PATCH v3 3/9] dpp: allow enrollee to be authentication initiator James Prestwood
2023-10-31 18:47 ` [PATCH v3 4/9] dbus: add net.connman.iwd.SharedCodeAgent DBus interface James Prestwood
2023-10-31 18:47 ` [PATCH v3 5/9] station: provide new state in __station_connect_network James Prestwood
2023-10-31 18:47 ` [PATCH v3 6/9] doc: PKEX support for DPP James Prestwood
2023-11-03  2:07   ` Denis Kenzior
2023-11-03 11:24     ` James Prestwood
2023-10-31 18:47 ` [PATCH v3 7/9] dpp: SharedCode interface, {Register,Unregister}SharedCodeAgent James Prestwood
2023-11-03  2:09   ` Denis Kenzior
2023-10-31 18:47 ` [PATCH v3 8/9] dpp: initial version of PKEX enrollee support James Prestwood
2023-11-03  2:12   ` Denis Kenzior
2023-11-03 11:27     ` James Prestwood
2023-10-31 18:47 ` [PATCH v3 9/9] dpp: initial version of PKEX configurator support James Prestwood

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cfdfaa3 dfblob:dcf5953 )
 OR (
bs:"[PATCH v3 2/9] dpp: fix config request header check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231031184750.722404-3-prestwoj@gmail.com \
    --to=prestwoj@gmail.com \
    --cc=iwd@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox