wpa_supplicant: Resolve WPA3 SAE softAP coverity issues

1) Resolve wpa_suppliant coverity issues caused by SAE softAP 2) Fix crash occured while deinitialization of softAP when authmode is changed 3) Fix issue related to anti clogging token and send_confirm 4) Put some AP specific functions under ESP_WIFI_SOFTAP_SUPPORT compilation flags
2025-08-20 08:39:05 +00:00 · 2023-03-02 12:21:10 +05:30
parent cd747165df
commit c797146f43
7 changed files with 57 additions and 75 deletions
--- a/components/wpa_supplicant/src/ap/ieee802_11.c
+++ b/components/wpa_supplicant/src/ap/ieee802_11.c
@@ -202,7 +202,7 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd)
    for (sta = hapd->sta_list; sta; sta = sta->next) {
        if (sta->sae &&
            (sta->sae->state == SAE_COMMITTED ||
-             sta->sae->state != SAE_CONFIRMED)) {
+             sta->sae->state == SAE_CONFIRMED)) {
            open++;
        }
        if (open >= hapd->conf->sae_anti_clogging_threshold) {
@@ -358,13 +358,12 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
            if (ret) {
                return ret;
            }
+            sae_set_state(sta, SAE_COMMITTED, "Sent Commit");

            if (sae_process_commit(sta->sae) < 0) {
                return WLAN_STATUS_UNSPECIFIED_FAILURE;
            }

-            sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
-
            sta->sae->sync = 0;
        } else {
            if (sae_check_big_sync(hapd, sta)) {
@@ -534,38 +533,36 @@ int handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
            goto remove_sta;
        }

-        if (sta->sae->state >= SAE_CONFIRMED) {
-            const u8 *var;
-            size_t var_len;
-            u16 peer_send_confirm;
+       const u8 *var;
+       size_t var_len;
+       u16 peer_send_confirm;

-            var = buf;
-            var_len = len;
-            if (var_len < 2) {
-                resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
-                goto reply;
-            }
+       var = buf;
+       var_len = len;
+       if (var_len < 2) {
+           resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+           goto reply;
+       }

-            peer_send_confirm = WPA_GET_LE16(var);
+       peer_send_confirm = WPA_GET_LE16(var);

-            if (sta->sae->state == SAE_ACCEPTED &&
-                    (peer_send_confirm <= sta->sae->rc ||
-                     peer_send_confirm == 0xffff)) {
-                wpa_printf(MSG_DEBUG,
-                           "SAE: Silently ignore unexpected Confirm from peer "
-                           MACSTR
-                           " (peer-send-confirm=%u Rc=%u)",
-                           MAC2STR(sta->addr),
-                           peer_send_confirm, sta->sae->rc);
-                return 0;
-            }
+       if (sta->sae->state == SAE_ACCEPTED &&
+               (peer_send_confirm <= sta->sae->rc ||
+                peer_send_confirm == 0xffff)) {
+           wpa_printf(MSG_DEBUG,
+                      "SAE: Silently ignore unexpected Confirm from peer "
+                      MACSTR
+                      " (peer-send-confirm=%u Rc=%u)",
+                      MAC2STR(sta->addr),
+                      peer_send_confirm, sta->sae->rc);
+           return 0;
+       }

-            if (sae_check_confirm(sta->sae, buf, len) < 0) {
-                resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
-                goto reply;
-            }
-            sta->sae->rc = peer_send_confirm;
-        }
+       if (sae_check_confirm(sta->sae, buf, len) < 0) {
+           resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+           goto reply;
+       }
+       sta->sae->rc = peer_send_confirm;

        resp = sae_sm_step(hapd, sta, bssid, auth_transaction,
                           status, 0, &sta_removed);
--- a/components/wpa_supplicant/src/ap/wpa_auth.c
+++ b/components/wpa_supplicant/src/ap/wpa_auth.c
@@ -495,7 +495,7 @@ static void wpa_free_sta_sm(struct wpa_state_machine *sm)
 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
 {
 #ifdef ESP_SUPPLICANT
-    if (esp_wifi_ap_is_sta_sae_reauth_node(sm->addr)) {
+    if (sm && esp_wifi_ap_is_sta_sae_reauth_node(sm->addr)) {
        wpa_printf( MSG_DEBUG, "deinit old sm=%p\n", sm);
    }
 #else /* ESP_SUPPLICANT */
@@ -2509,6 +2509,7 @@ void wpa_deinit(struct wpa_authenticator *wpa_auth)

 }

+#ifdef CONFIG_ESP_WIFI_SOFTAP_SUPPORT
 bool wpa_ap_join(struct sta_info *sta, uint8_t *bssid, uint8_t *wpa_ie,
                uint8_t wpa_ie_len, uint8_t *rsnxe, uint8_t rsnxe_len,
                bool *pmf_enable, int subtype)
@@ -2614,6 +2615,7 @@ bool wpa_ap_remove(void* sta_info)

    return true;
 }
+#endif /* CONFIG_ESP_WIFI_SOFTAP_SUPPORT */

 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
               const u8 *sta_addr)
--- a/components/wpa_supplicant/src/ap/wpa_auth_ie.c
+++ b/components/wpa_supplicant/src/ap/wpa_auth_ie.c
@@ -311,7 +311,7 @@ int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len)
 		capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
 	}

-	flen = (capab & 0xff00) ? 2 : 1;
+	flen = 1;
 	if (!capab)
 		return 0; /* no supported extended RSN capabilities */
 	if (len < 2 + flen)
@@ -321,9 +321,6 @@ int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len)
 	*pos++ = WLAN_EID_RSNX;
 	*pos++ = flen;
 	*pos++ = capab & 0x00ff;
-	capab >>= 8;
-	if (capab)
-		*pos++ = capab;

 	return pos - buf;
 }