Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 1a38330d4a1bc32bc53c4a381cbd6fc7c076506f^! / .
commit1a38330d4a1bc32bc53c4a381cbd6fc7c076506f[log] [tgz]
authorAbhishek Ambure <aambure@codeaurora.org>Wed Jul 01 16:13:22 2020 +0530
committernshrivas <nshrivas@codeaurora.org>Thu Jul 02 20:10:35 2020 -0700
tree4c9ace83eed120aa939fdfe3ceb67ad28de81cf4
parent311bc3e17ae2a06f69ed09df3301c260d790a2a9 [diff]
qcacld-3.0: Don't free sae auth retry frame for invalid auth rsp

In the noisy environment observation is, host sends SAE commit req to
AP and gets SAE commit response from AP, then host sends SAE confirm
req to AP but due to noisy environment AP miss the ack for SAE commit
response and keep sending SAE commit response even host send SAE
confirm. As host cleans SAE auth retry frames on reception of SAE auth
rx from AP, host cleanups SAE auth confirm req and disable SAE auth
retry timer. This leads to SAE auth failure. To avoid this host matches
auth frame's "sae algo sequence number" with last sent auth frame's "sae
algo sequence number", if it matches then only free sae auth retry frame
and deactivate sae auth retry timer.

Change-Id: Ia9ae2e5d82c696efdc0aaf4e04b6760b9829c510
CRs-Fixed: 2720436

diff --git a/core/mac/src/pe/lim/lim_process_auth_frame.c b/core/mac/src/pe/lim/lim_process_auth_frame.c
index 3a2f6e2..a774b7b 100644
--- a/core/mac/src/pe/lim/lim_process_auth_frame.c
+++ b/core/mac/src/pe/lim/lim_process_auth_frame.c

@@ -354,6 +354,48 @@
 	mlme_free_sae_auth_retry(pe_session->vdev);
 }
 
+#define SAE_AUTH_ALGO_BYTES 2
+#define SAE_AUTH_SEQ_NUM_BYTES 2
+#define SAE_AUTH_SEQ_OFFSET 1
+
+/**
+ * lim_is_sae_auth_algo_match()- Match SAE auth seq in queued SAE auth and
+ * SAE auth rx frame
+ * @queued_frame: Pointer to queued SAE auth retry frame
+ * @q_len: length of queued sae auth retry frame
+ * @rx_pkt_info: Rx packet
+ *
+ * Return: True if SAE auth seq is mached else false
+ */
+static bool lim_is_sae_auth_algo_match(uint8_t *queued_frame, uint16_t q_len,
+				       uint8_t *rx_pkt_info)
+{
+	tpSirMacMgmtHdr qmac_hdr = (tpSirMacMgmtHdr)queued_frame;
+	uint16_t *rxbody_ptr, *qbody_ptr, rxframe_len, min_len;
+
+	min_len = sizeof(tSirMacMgmtHdr) + SAE_AUTH_ALGO_BYTES +
+			SAE_AUTH_SEQ_NUM_BYTES;
+
+	rxframe_len = WMA_GET_RX_PAYLOAD_LEN(rx_pkt_info);
+	if (rxframe_len < min_len || q_len < min_len) {
+		pe_debug("rxframe_len %d, queued_frame_len %d, min_len %d",
+			 rxframe_len, q_len, min_len);
+		return false;
+	}
+
+	rxbody_ptr = (uint16_t *)WMA_GET_RX_MPDU_DATA(rx_pkt_info);
+	qbody_ptr = (uint16_t *)((uint8_t *)qmac_hdr + sizeof(tSirMacMgmtHdr));
+
+	pe_debug("sae_auth : rx pkt auth seq %d queued pkt auth seq %d",
+		 rxbody_ptr[SAE_AUTH_SEQ_OFFSET],
+		 qbody_ptr[SAE_AUTH_SEQ_OFFSET]);
+	if (rxbody_ptr[SAE_AUTH_SEQ_OFFSET] ==
+	    qbody_ptr[SAE_AUTH_SEQ_OFFSET])
+		return true;
+
+	return false;
+}
+
 /**
  * lim_process_sae_auth_frame()-Process SAE authentication frame
  * @mac_ctx: MAC context
@@ -408,10 +450,13 @@
 
 	sae_retry = mlme_get_sae_auth_retry(pe_session->vdev);
 	if (LIM_IS_STA_ROLE(pe_session) && sae_retry &&
-	    sae_retry->sae_auth.data)
-		lim_sae_auth_cleanup_retry(mac_ctx,
-					   pe_session->vdev_id);
-
+	    sae_retry->sae_auth.data) {
+		if (lim_is_sae_auth_algo_match(
+		    sae_retry->sae_auth.data, sae_retry->sae_auth.len,
+		     rx_pkt_info))
+			lim_sae_auth_cleanup_retry(mac_ctx,
+						   pe_session->vdev_id);
+	}
 	lim_send_sme_mgmt_frame_ind(mac_ctx, mac_hdr->fc.subType,
 				    (uint8_t *)mac_hdr,
 				    frame_len + sizeof(tSirMacMgmtHdr),