Cumulative patch from commit 1acf38f1a5aa19169035de9b611fc76440729c0b
1acf38f Add ifname to vlan_remove_dynamic() debug print
2e192bd Print debug entry on STA pruning from other interfaces
c8e6bea Remove VLAN interface on STA free
de31fb0 vlan: Ignore multiple NEWLINK messages
371205d vlan: Ignore DELLINK on interfaces that exists
a5e81ba Fix STA VLAN bind for RSN pre-authentication case
3ffdeb7 Fix RSN preauthentication with dynamic_vlan enabled but unused
8e2c5f1 dbus: Fix WPS property of fi.w1.wpa_supplicant1.BSS interface
d447cd5 Updates for stricter automatic memcpy bounds checking
60eb9e1 AP: Enable multicast snooping on bridge if ProxyARP IPv6 is in use
b799118 Fix CONFIG_AP=y build without CONFIG_CTRL_IFACE
954f03a Fix compilation issues with CONFIG_NO_CONFIG_WRITE=y
da3db68 Fix INTERFACE_ADD parsing
Change-Id: If25ebad847bc2a1b5d9386cbaa80c6fd8ce4e226
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index b9d6832..00d5240 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -114,6 +114,7 @@
struct hostapd_vlan *next;
int vlan_id; /* VLAN ID or -1 (VLAN_ID_WILDCARD) for wildcard entry */
char ifname[IFNAMSIZ + 1];
+ int configured;
int dynamic_vlan;
#ifdef CONFIG_FULL_DYNAMIC_VLAN
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 89911b1..3601dfe 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2473,11 +2473,11 @@
* so bind it to the selected VLAN interface now, since the
* interface selection is not going to change anymore.
*/
- if (ap_sta_bind_vlan(hapd, sta, 0) < 0)
+ if (ap_sta_bind_vlan(hapd, sta) < 0)
return;
} else if (sta->vlan_id) {
/* VLAN ID already set (e.g., by PMKSA caching), so bind STA */
- if (ap_sta_bind_vlan(hapd, sta, 0) < 0)
+ if (ap_sta_bind_vlan(hapd, sta) < 0)
return;
}
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 7e17ef4..f945efa 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1108,8 +1108,6 @@
pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
if (pmksa) {
- int old_vlanid;
-
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
HOSTAPD_LEVEL_DEBUG,
"PMK from PMKSA cache - skip IEEE 802.1X/EAP");
@@ -1123,11 +1121,8 @@
sta->eapol_sm->authFail = FALSE;
if (sta->eapol_sm->eap)
eap_sm_notify_cached(sta->eapol_sm->eap);
- old_vlanid = sta->vlan_id;
pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm);
- if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
- sta->vlan_id = 0;
- ap_sta_bind_vlan(hapd, sta, old_vlanid);
+ ap_sta_bind_vlan(hapd, sta);
} else {
if (reassoc) {
/*
@@ -1590,7 +1585,7 @@
struct hostapd_data *hapd = data;
struct sta_info *sta;
u32 session_timeout = 0, termination_action, acct_interim_interval;
- int session_timeout_set, old_vlanid = 0;
+ int session_timeout_set, vlan_id = 0;
struct eapol_state_machine *sm;
int override_eapReq = 0;
struct radius_hdr *hdr = radius_msg_get_hdr(msg);
@@ -1658,18 +1653,24 @@
switch (hdr->code) {
case RADIUS_CODE_ACCESS_ACCEPT:
if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
- sta->vlan_id = 0;
+ vlan_id = 0;
#ifndef CONFIG_NO_VLAN
- else {
- old_vlanid = sta->vlan_id;
- sta->vlan_id = radius_msg_get_vlanid(msg);
- }
- if (sta->vlan_id > 0 &&
- hostapd_vlan_id_valid(hapd->conf->vlan, sta->vlan_id)) {
+ else
+ vlan_id = radius_msg_get_vlanid(msg);
+ if (vlan_id > 0 &&
+ hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) {
hostapd_logger(hapd, sta->addr,
HOSTAPD_MODULE_RADIUS,
HOSTAPD_LEVEL_INFO,
- "VLAN ID %d", sta->vlan_id);
+ "VLAN ID %d", vlan_id);
+ } else if (vlan_id > 0) {
+ sta->eapol_sm->authFail = TRUE;
+ hostapd_logger(hapd, sta->addr,
+ HOSTAPD_MODULE_RADIUS,
+ HOSTAPD_LEVEL_INFO,
+ "Invalid VLAN ID %d received from RADIUS server",
+ vlan_id);
+ break;
} else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) {
sta->eapol_sm->authFail = TRUE;
hostapd_logger(hapd, sta->addr,
@@ -1681,7 +1682,9 @@
}
#endif /* CONFIG_NO_VLAN */
- if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0)
+ sta->vlan_id = vlan_id;
+ if ((sta->flags & WLAN_STA_ASSOC) &&
+ ap_sta_bind_vlan(hapd, sta) < 0)
break;
sta->session_timeout_set = !!session_timeout_set;
diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 7e75e1a..1576db9 100644
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -171,6 +171,19 @@
!(sta->flags & WLAN_STA_PREAUTH))
hostapd_drv_sta_remove(hapd, sta->addr);
+#ifndef CONFIG_NO_VLAN
+ if (sta->vlan_id_bound) {
+ /*
+ * Need to remove the STA entry before potentially removing the
+ * VLAN.
+ */
+ if (hapd->iface->driver_ap_teardown &&
+ !(sta->flags & WLAN_STA_PREAUTH))
+ hostapd_drv_sta_remove(hapd, sta->addr);
+ vlan_remove_dynamic(hapd, sta->vlan_id_bound);
+ }
+#endif /* CONFIG_NO_VLAN */
+
ap_sta_hash_del(hapd, sta);
ap_sta_list_del(hapd, sta);
@@ -768,20 +781,13 @@
#endif /* CONFIG_WPS */
-int ap_sta_bind_vlan(struct hostapd_data *hapd, struct sta_info *sta,
- int old_vlanid)
+int ap_sta_bind_vlan(struct hostapd_data *hapd, struct sta_info *sta)
{
#ifndef CONFIG_NO_VLAN
const char *iface;
struct hostapd_vlan *vlan = NULL;
int ret;
-
- /*
- * Do not proceed furthur if the vlan id remains same. We do not want
- * duplicate dynamic vlan entries.
- */
- if (sta->vlan_id == old_vlanid)
- return 0;
+ int old_vlanid = sta->vlan_id_bound;
iface = hapd->conf->iface;
if (sta->ssid->vlan[0])
@@ -805,6 +811,14 @@
iface = vlan->ifname;
}
+ /*
+ * Do not increment ref counters if the VLAN ID remains same, but do
+ * not skip hostapd_drv_set_sta_vlan() as hostapd_drv_sta_remove() might
+ * have been called before.
+ */
+ if (sta->vlan_id == old_vlanid)
+ goto skip_counting;
+
if (sta->vlan_id > 0 && vlan == NULL) {
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_DEBUG, "could not find VLAN for "
@@ -838,7 +852,7 @@
HOSTAPD_LEVEL_DEBUG, "added new dynamic VLAN "
"interface '%s'", iface);
} else if (vlan && vlan->vlan_id == sta->vlan_id) {
- if (sta->vlan_id > 0) {
+ if (vlan->dynamic_vlan > 0) {
vlan->dynamic_vlan++;
hostapd_logger(hapd, sta->addr,
HOSTAPD_MODULE_IEEE80211,
@@ -862,6 +876,10 @@
}
}
+ /* ref counters have been increased, so mark the station */
+ sta->vlan_id_bound = sta->vlan_id;
+
+skip_counting:
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_DEBUG, "binding station to interface "
"'%s'", iface);
@@ -876,10 +894,10 @@
"entry to vlan_id=%d", sta->vlan_id);
}
-done:
/* During 1x reauth, if the vlan id changes, then remove the old id. */
- if (old_vlanid > 0)
+ if (old_vlanid > 0 && old_vlanid != sta->vlan_id)
vlan_remove_dynamic(hapd, old_vlanid);
+done:
return ret;
#else /* CONFIG_NO_VLAN */
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index 57551ab..d192c71 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -120,7 +120,8 @@
struct hostapd_ssid *ssid; /* SSID selection based on (Re)AssocReq */
struct hostapd_ssid *ssid_probe; /* SSID selection based on ProbeReq */
- int vlan_id;
+ int vlan_id; /* 0: none, >0: VID */
+ int vlan_id_bound; /* updated by ap_sta_bind_vlan() */
/* PSKs from RADIUS authentication server */
struct hostapd_sta_wpa_psk_short *psk;
@@ -218,8 +219,7 @@
int ap_sta_wps_cancel(struct hostapd_data *hapd,
struct sta_info *sta, void *ctx);
#endif /* CONFIG_WPS */
-int ap_sta_bind_vlan(struct hostapd_data *hapd, struct sta_info *sta,
- int old_vlanid);
+int ap_sta_bind_vlan(struct hostapd_data *hapd, struct sta_info *sta);
void ap_sta_start_sa_query(struct hostapd_data *hapd, struct sta_info *sta);
void ap_sta_stop_sa_query(struct hostapd_data *hapd, struct sta_info *sta);
int ap_check_sa_query_timeout(struct hostapd_data *hapd, struct sta_info *sta);
diff --git a/src/ap/utils.c b/src/ap/utils.c
index 931968c..d60555a 100644
--- a/src/ap/utils.c
+++ b/src/ap/utils.c
@@ -59,6 +59,8 @@
if (!osta)
continue;
+ wpa_printf(MSG_INFO, "%s: Prune association for " MACSTR,
+ ohapd->conf->iface, MAC2STR(osta->addr));
ap_sta_disassociate(ohapd, osta, WLAN_REASON_UNSPECIFIED);
}
diff --git a/src/ap/vlan_init.c b/src/ap/vlan_init.c
index dc65019..c57c062 100644
--- a/src/ap/vlan_init.c
+++ b/src/ap/vlan_init.c
@@ -485,7 +485,8 @@
wpa_printf(MSG_DEBUG, "VLAN: vlan_newlink(%s)", ifname);
while (vlan) {
- if (os_strcmp(ifname, vlan->ifname) == 0) {
+ if (os_strcmp(ifname, vlan->ifname) == 0 && !vlan->configured) {
+ vlan->configured = 1;
if (hapd->conf->vlan_bridge[0]) {
os_snprintf(br_name, sizeof(br_name), "%s%d",
@@ -651,6 +652,11 @@
if (!ifname[0])
return;
+ if (del && if_nametoindex(ifname)) {
+ /* interface still exists, race condition ->
+ * iface has just been recreated */
+ return;
+ }
wpa_printf(MSG_DEBUG,
"VLAN: RTM_%sLINK: ifi_index=%d ifname=%s ifi_family=%d ifi_flags=0x%x (%s%s%s%s)",
@@ -953,7 +959,8 @@
if (vlan_id <= 0 || vlan_id > MAX_VLAN_ID)
return 1;
- wpa_printf(MSG_DEBUG, "VLAN: %s(vlan_id=%d)", __func__, vlan_id);
+ wpa_printf(MSG_DEBUG, "VLAN: %s(ifname=%s vlan_id=%d)",
+ __func__, hapd->conf->iface, vlan_id);
vlan = hapd->conf->vlan;
while (vlan) {
diff --git a/src/ap/x_snoop.c b/src/ap/x_snoop.c
index 8f77015..aef9a53 100644
--- a/src/ap/x_snoop.c
+++ b/src/ap/x_snoop.c
@@ -51,6 +51,14 @@
return -1;
}
+#ifdef CONFIG_IPV6
+ if (hostapd_drv_br_set_net_param(hapd, DRV_BR_MULTICAST_SNOOPING, 1)) {
+ wpa_printf(MSG_DEBUG,
+ "x_snoop: Failed to enable multicast snooping on the bridge");
+ return -1;
+ }
+#endif /* CONFIG_IPV6 */
+
return 0;
}