wlan: Change to drop spurious Assoc/Reassoc frames
As per the current implementation all received management frames
will be queued in PE and processed sequentially.
In PMF SAP mode, if we receive Re/Assoc request frame from
connected peer we will send Re/Assoc response with retry later
status and initiate SA query to connected peer and disconnect if
we didn't receive SA query response with in timeout.
In the issue scenario DOS attack with Assoc/Reassoc frames were
injected on behalf of connected station in PMF mode and due to
flooding of this request frames there is a delay in processing
the SA query response frame sent by peer resulting in disconnection.
Change made to drop queuing Assoc/Reassoc frames sent by connected
peer in the below scenario's.
1)Avoid queuing, if time delta between last and current
Assoc/Reassoc frame is less than 1 sec.
2)Avoid queuing, if SA query is in progress.
Change-Id: Icf31f8efb3bf24dd76a0a2162cab423d4cac12b4
CRs-Fixed: 879505
diff --git a/CORE/MAC/src/pe/lim/limApi.c b/CORE/MAC/src/pe/lim/limApi.c
index 47158e0..3829ea5 100644
--- a/CORE/MAC/src/pe/lim/limApi.c
+++ b/CORE/MAC/src/pe/lim/limApi.c
@@ -2247,6 +2247,60 @@
return;
}
+#ifdef WLAN_FEATURE_11W
+/** --------------------------------------------------------------------
+ * lim_is_assoc_req_for_drop()- function to decides to drop assoc\reassoc
+ * frames.
+ * @mac: pointer to global mac structure
+ * @rx_pkt_info: rx packet meta information
+ *
+ * This function is called before enqueuing the frame to PE queue to
+ * drop flooded assoc/reassoc frames getting into PE Queue.
+ *
+ * Return: true for dropping the frame otherwise false
+----------------------------------------------------------------------*/
+
+bool lim_is_assoc_req_for_drop(tpAniSirGlobal pMac, uint8_t *rx_pkt_info)
+{
+ tANI_U8 session_id;
+ tANI_U16 aid;
+ tpPESession session_entry;
+ tpSirMacMgmtHdr pMacHdr;
+ tpDphHashNode sta_ds;
+
+ pMacHdr = WDA_GET_RX_MAC_HEADER(rx_pkt_info);
+ session_entry = peFindSessionByBssid(pMac, pMacHdr->bssId, &session_id);
+ if (!session_entry)
+ {
+ PELOG1(limLog(pMac, LOG1,
+ FL("session does not exist for given STA [%pM]"),
+ pMacHdr->sa););
+ return false;
+ }
+ sta_ds = dphLookupHashEntry(pMac, pMacHdr->sa, &aid,
+ &session_entry->dph.dphHashTable);
+ if (!sta_ds)
+ {
+ PELOG1(limLog(pMac, LOG1, FL("pStaDs is NULL")););
+ return false;
+ }
+
+ if (!sta_ds->rmfEnabled)
+ return false;
+
+ if (sta_ds->pmfSaQueryState == DPH_SA_QUERY_IN_PROGRESS)
+ return true;
+
+ if (sta_ds->last_assoc_received_time &&
+ ((vos_timer_get_system_time() -
+ sta_ds->last_assoc_received_time) < 1000))
+ return true;
+
+ sta_ds->last_assoc_received_time = vos_timer_get_system_time();
+ return false;
+}
+#endif
+
/** ----------------------------------------------------------------------
*\brief limIsDeauthDiassocForDrop()..decides to drop deauth\diassoc frames.
*This function is called before enqueuing the frame to PE queue.
@@ -2392,6 +2446,12 @@
return eMGMT_DROP_NO_DROP;
#endif
+#ifdef WLAN_FEATURE_11W
+ if ((subType == SIR_MAC_MGMT_ASSOC_REQ ||
+ subType == SIR_MAC_MGMT_REASSOC_REQ) &&
+ lim_is_assoc_req_for_drop(pMac, pRxPacketInfo))
+ return eMGMT_DROP_SPURIOUS_FRAME;
+#endif
//Drop INFRA Beacons and Probe Responses in IBSS Mode
if( (subType == SIR_MAC_MGMT_BEACON) ||
(subType == SIR_MAC_MGMT_PROBE_RSP))