[gatesgarth 0/6] patch review Arpil 10th

[gatesgarth 0/6] patch review Arpil 10th

[akuster]

Please have comments back by Sunday

The following changes since commit 317c2dd540c84556127ad07739c0c930a0741b50:

  packagegroup-meta-multimedia: include projucer only with x11 in DISTRO_FEATURES (2021-04-04 12:39:22 -0700)

are available in the Git repository at:

  git://git.openembedded.org/meta-openembedded-contrib stable/gatesgarth-nut
  http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/gatesgarth-nut

Kartikey Rameshbhai Parmar (1):
  fluidsynth: update SRC_URI to remove non-existing 2.1.x branch

Martin Jansa (2):
  libsmi: use /bin/sh instead of ${base_bindir}/sh to silence QA error
    with usrmerge
  libyui: switch to libyui-old repo which still has this SRCREV

Mingli Yu (2):
  hostapd: fix CVE-2019-5061
  hostapd: fix CVE-2021-0326 and CVE-2021-27803

Oleksiy Obitotskyy (1):
  libsmi: set awk as target path

 .../fluidsynth/fluidsynth.inc                 |   2 +-
 .../hostapd/hostapd/CVE-2019-5061.patch       | 854 ++++++++++++++++++
 .../hostapd/hostapd/CVE-2021-0326.patch       |  43 +
 .../hostapd/hostapd/CVE-2021-27803.patch      |  54 ++
 .../hostapd/hostapd_2.9.bb                    |   3 +
 .../recipes-graphics/libyui/libyui_3.10.0.bb  |   2 +-
 .../recipes-support/libsmi/libsmi_0.5.0.bb    |   2 +-
 7 files changed, 957 insertions(+), 3 deletions(-)
 create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch
 create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
 create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch

-- 
2.17.1

[gatesgarth 1/6] fluidsynth: update SRC_URI to remove non-existing 2.1.x branch

[akuster]

From: Kartikey Rameshbhai Parmar <kartikey.rameshbhai.parmar@intel.com>

Remove branch 2.1.x from SRC_URI as fluidsynth github removed the branch.
The SRCREV is on master branch

Signed-off-by: Kartikey Rameshbhai Parmar <kartikey.rameshbhai.parmar@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 555b90779f6d86f7df05604f474323d9aef96886)
[AK: Minor clean for gatesgarth context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
index 73c1d0db69f..ee10504023c 100644
--- a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
+++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
@@ -4,7 +4,7 @@ SECTION = "libs/multimedia"
 LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594"
 
-SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=2.1.x"
+SRC_URI = "git://github.com/FluidSynth/fluidsynth.git"
 SRCREV = "6776569abe9a885bcec14141692fa93c0568d51c"
 S = "${WORKDIR}/git"
 PV = "2.1.5"
-- 
2.17.1

[gatesgarth 2/6] libsmi: set awk as target path

[akuster]

From: Oleksiy Obitotskyy <oobitots@cisco.com>

smistrip contains absolute path and prevent to
create reproducible builds. smistrip should use
target awk not host one, so override path.

Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb b/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb
index 98cc63eb3b7..212b1e797c7 100644
--- a/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb
+++ b/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb
@@ -16,7 +16,7 @@ RDEPENDS_${PN} += "wget"
 
 inherit autotools
 
-EXTRA_OECONF = "ac_cv_path_SH=${base_bindir}/sh ac_cv_path_WGET=${bindir}/wget"
+EXTRA_OECONF = "ac_cv_path_SH=${base_bindir}/sh ac_cv_path_WGET=${bindir}/wget ac_cv_path_AWK=${bindir}/awk"
 
 do_install_append () {
     install -d ${D}${sysconfdir}
-- 
2.17.1

[gatesgarth 3/6] libsmi: use /bin/sh instead of ${base_bindir}/sh to silence QA error with usrmerge

[akuster]

From: Martin Jansa <Martin.Jansa@gmail.com>

* with usrmerge ${base_bindir} is /usr/bin/sh and libsmi fails with:
  ERROR: libsmi-0.5.0-r0 do_package_qa: QA Issue: /usr/bin/smistrip contained in package libsmi requires /usr/bin/sh, but no providers found in RDEPENDS_libsmi? [file-rdeps]
  ERROR: libsmi-0.5.0-r0 do_package_qa: QA run found fatal errors. Please consider fixing them.

* this is a bit strange as busybox does install /usr/bin/sh file:
  ./1.33.0-r0.usrmerge/image/usr/bin/sh
  ./1.33.0-r0.default/image/bin/sh

  but also adds /bin/sh to RPROVIDES_${PN} for usrmerge in DISTRO_FEATURES:
  RPROVIDES_${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/sh', '', d)}"
  added in:
  https://git.openembedded.org/openembedded-core/commit/?id=1f6c14939c8daa5e09103789c3ff5031cc888d16

  and 1.33.0-r0.usrmerge/pkgdata/runtime/busybox:FILERPROVIDES_/usr/bin/busybox.nosuid_busybox
  correctly contains /usr/bin/sh

* adding runtime dependency on busybox as /usr/bin/sh provider would silence the QA warning
  but people might not like adding busybox to their image

* using /bin/sh silences the QA warning as well, because /bin/sh is explicitly ignored in file-rdeps insane.bbclass:
  https://git.openembedded.org/openembedded-core/tree/meta/classes/insane.bbclass?id=1f6c14939c8daa5e09103789c3ff5031cc888d16#n907

  if "file-rdeps" not in skip:
    ignored_file_rdeps = set(['/bin/sh', '/usr/bin/env', 'rtld(GNU_HASH)'])

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 08fad9f3a6d1026eea84906c2ede7a4a2dc93863)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb b/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb
index 212b1e797c7..ae76fade738 100644
--- a/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb
+++ b/meta-oe/recipes-support/libsmi/libsmi_0.5.0.bb
@@ -16,7 +16,7 @@ RDEPENDS_${PN} += "wget"
 
 inherit autotools
 
-EXTRA_OECONF = "ac_cv_path_SH=${base_bindir}/sh ac_cv_path_WGET=${bindir}/wget ac_cv_path_AWK=${bindir}/awk"
+EXTRA_OECONF = "ac_cv_path_SH=/bin/sh ac_cv_path_WGET=${bindir}/wget ac_cv_path_AWK=${bindir}/awk"
 
 do_install_append () {
     install -d ${D}${sysconfdir}
-- 
2.17.1

[gatesgarth 4/6] libyui: switch to libyui-old repo which still has this SRCREV

[akuster]

From: Martin Jansa <Martin.Jansa@gmail.com>

* af06143017fc5f18c4b6488ba4aed26bcc43ff6e doesn't exist in current repo:
  libyui$ git branch -a --contains af06143017fc5f18c4b6488ba4aed26bcc43ff6e
  error: no such commit af06143017fc5f18c4b6488ba4aed26bcc43ff6e

* there are no common commits in the new libyui repo, but luckily old
  repo is kept as
  https://github.com/libyui/libyui-old
  similarly libyui-ncurses now contains only README about being obsolete in:
  https://github.com/libyui/libyui-ncurses
  but at least it wasn't rewritten to have the new content

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 902919167a97055e9be9cd3654f29823e81ae382)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-graphics/libyui/libyui_3.10.0.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-graphics/libyui/libyui_3.10.0.bb b/meta-oe/recipes-graphics/libyui/libyui_3.10.0.bb
index d7f529e3138..286d3ac9119 100644
--- a/meta-oe/recipes-graphics/libyui/libyui_3.10.0.bb
+++ b/meta-oe/recipes-graphics/libyui/libyui_3.10.0.bb
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING.gpl-3;md5=d32239bcb673463ab874e80d47fae504 \
                     file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \
                    "
 
-SRC_URI = "git://github.com/libyui/libyui.git \
+SRC_URI = "git://github.com/libyui/libyui-old.git \
            file://0001-Fix-build-with-clang.patch \
            file://0001-Use-relative-install-paths-for-CMake.patch \
            "
-- 
2.17.1

[gatesgarth 5/6] hostapd: fix CVE-2019-5061

[akuster]

From: Mingli Yu <mingli.yu@windriver.com>

Backport a patch to fix CVE-2019-5061.

Reference: https://security-tracker.debian.org/tracker/CVE-2019-5061

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../hostapd/hostapd/CVE-2019-5061.patch       | 854 ++++++++++++++++++
 .../hostapd/hostapd_2.9.bb                    |   1 +
 2 files changed, 855 insertions(+)
 create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch

diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch
new file mode 100644
index 00000000000..9214615d12f
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch
@@ -0,0 +1,854 @@
+From 018edec9b2bd3db20605117c32ff79c1e625c432 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 11 Sep 2019 12:34:28 +0300
+Subject: [PATCH] Remove IAPP functionality from hostapd
+
+IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been
+maintained nor is there any expectation of the withdrawn trial-use
+recommended practice to be maintained in the future. Furthermore,
+implementation of IAPP in hostapd was not complete, i.e., only parts of
+the recommended practice were included. The main item of some real use
+long time ago was the Layer 2 Update frame to update bridges when a STA
+roams within an ESS, but that functionality has, in practice, been moved
+to kernel drivers to provide better integration with the networking
+stack.
+
+CVE: CVE-2019-5061
+
+Upstream-Status: Backport
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ hostapd/Android.mk                        |   5 -
+ hostapd/Makefile                          |   5 -
+ hostapd/android.config                    |   3 -
+ hostapd/config_file.c                     |   3 +-
+ hostapd/defconfig                         |   3 -
+ hostapd/hostapd.conf                      |   6 -
+ hostapd/main.c                            |   3 -
+ src/ap/Makefile                           |   2 -
+ src/ap/ap_config.h                        |   4 -
+ src/ap/hostapd.c                          |  14 -
+ src/ap/hostapd.h                          |   2 -
+ src/ap/iapp.c                             | 542 ----------------------
+ src/ap/iapp.h                             |  39 --
+ src/utils/wpa_debug.h                     |   1 -
+ 14 files changed, 1 insertion(+), 633 deletions(-)
+ delete mode 100644 src/ap/iapp.c
+ delete mode 100644 src/ap/iapp.h
+
+diff --git a/hostapd/Android.mk b/hostapd/Android.mk
+index 3183323ef..a87ac8144 100644
+--- a/hostapd/Android.mk
++++ b/hostapd/Android.mk
+@@ -205,11 +205,6 @@ endif
+ 
+ L_CFLAGS += -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX
+ 
+-ifdef CONFIG_IAPP
+-L_CFLAGS += -DCONFIG_IAPP
+-OBJS += src/ap/iapp.c
+-endif
+-
+ ifdef CONFIG_RSN_PREAUTH
+ L_CFLAGS += -DCONFIG_RSN_PREAUTH
+ CONFIG_L2_PACKET=y
+diff --git a/hostapd/Makefile b/hostapd/Makefile
+index f7f4c785b..42bb9e4c8 100644
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -248,11 +248,6 @@ ifndef CONFIG_NO_CTRL_IFACE
+ CFLAGS += -DCONFIG_CTRL_IFACE
+ endif
+ 
+-ifdef CONFIG_IAPP
+-CFLAGS += -DCONFIG_IAPP
+-OBJS += ../src/ap/iapp.o
+-endif
+-
+ ifdef CONFIG_RSN_PREAUTH
+ CFLAGS += -DCONFIG_RSN_PREAUTH
+ CONFIG_L2_PACKET=y
+diff --git a/hostapd/android.config b/hostapd/android.config
+index efe252332..e2e6c7821 100644
+--- a/hostapd/android.config
++++ b/hostapd/android.config
+@@ -38,9 +38,6 @@ CONFIG_DRIVER_NL80211_QCA=y
+ # Driver interface for no driver (e.g., RADIUS server only)
+ #CONFIG_DRIVER_NONE=y
+ 
+-# IEEE 802.11F/IAPP
+-#CONFIG_IAPP=y
+-
+ # WPA2/IEEE 802.11i RSN pre-authentication
+ #CONFIG_RSN_PREAUTH=y
+ 
+diff --git a/hostapd/config_file.c b/hostapd/config_file.c
+index 680f17ee0..0d340d252 100644
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -2712,8 +2712,7 @@ static int hostapd_config_fill(struct hostapd_config *conf,
+ 		bss->eapol_key_index_workaround = atoi(pos);
+ #ifdef CONFIG_IAPP
+ 	} else if (os_strcmp(buf, "iapp_interface") == 0) {
+-		bss->ieee802_11f = 1;
+-		os_strlcpy(bss->iapp_iface, pos, sizeof(bss->iapp_iface));
++		wpa_printf(MSG_INFO, "DEPRECATED: iapp_interface not used");
+ #endif /* CONFIG_IAPP */
+ 	} else if (os_strcmp(buf, "own_ip_addr") == 0) {
+ 		if (hostapd_parse_ip_addr(pos, &bss->own_ip_addr)) {
+diff --git a/hostapd/defconfig b/hostapd/defconfig
+index b1fb56c3b..1a3d9f9ba 100644
+--- a/hostapd/defconfig
++++ b/hostapd/defconfig
+@@ -44,9 +44,6 @@ CONFIG_LIBNL32=y
+ # Driver interface for no driver (e.g., RADIUS server only)
+ #CONFIG_DRIVER_NONE=y
+ 
+-# IEEE 802.11F/IAPP
+-CONFIG_IAPP=y
+-
+ # WPA2/IEEE 802.11i RSN pre-authentication
+ CONFIG_RSN_PREAUTH=y
+ 
+diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
+index 6c96a760a..a3c698480 100644
+--- a/hostapd/hostapd.conf
++++ b/hostapd/hostapd.conf
+@@ -41,7 +41,6 @@ interface=wlan0
+ # bit 2 (4) = RADIUS
+ # bit 3 (8) = WPA
+ # bit 4 (16) = driver interface
+-# bit 5 (32) = IAPP
+ # bit 6 (64) = MLME
+ #
+ # Levels (minimum value for logged events):
+@@ -1243,11 +1242,6 @@ eap_server=0
+ # Whether to enable ERP on the EAP server.
+ #eap_server_erp=1
+ 
+-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
+-
+-# Interface to be used for IAPP broadcast packets
+-#iapp_interface=eth0
+-
+ 
+ ##### RADIUS client configuration #############################################
+ # for IEEE 802.1X with external Authentication Server, IEEE 802.11
+diff --git a/hostapd/main.c b/hostapd/main.c
+index 08896ffe2..8bfe24281 100644
+--- a/hostapd/main.c
++++ b/hostapd/main.c
+@@ -81,9 +81,6 @@ static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module,
+ 	case HOSTAPD_MODULE_DRIVER:
+ 		module_str = "DRIVER";
+ 		break;
+-	case HOSTAPD_MODULE_IAPP:
+-		module_str = "IAPP";
+-		break;
+ 	case HOSTAPD_MODULE_MLME:
+ 		module_str = "MLME";
+ 		break;
+diff --git a/src/ap/Makefile b/src/ap/Makefile
+index bd3f33b77..54e48a0dd 100644
+--- a/src/ap/Makefile
++++ b/src/ap/Makefile
+@@ -18,7 +18,6 @@ CFLAGS += -DCONFIG_IEEE80211R_AP
+ CFLAGS += -DCONFIG_WPS
+ CFLAGS += -DCONFIG_PROXYARP
+ CFLAGS += -DCONFIG_IPV6
+-CFLAGS += -DCONFIG_IAPP
+ CFLAGS += -DCONFIG_AIRTIME_POLICY
+ 
+ LIB_OBJS= \
+@@ -41,7 +40,6 @@ LIB_OBJS= \
+ 	hostapd.o \
+ 	hs20.o \
+ 	hw_features.o \
+-	iapp.o \
+ 	ieee802_11_auth.o \
+ 	ieee802_11.o \
+ 	ieee802_11_ht.o \
+diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
+index e219160b0..17eb0682b 100644
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -325,10 +325,6 @@ struct hostapd_bss_config {
+ 	int erp_send_reauth_start;
+ 	char *erp_domain;
+ 
+-	int ieee802_11f; /* use IEEE 802.11f (IAPP) */
+-	char iapp_iface[IFNAMSIZ + 1]; /* interface used with IAPP broadcast
+-					* frames */
+-
+ 	enum macaddr_acl {
+ 		ACCEPT_UNLESS_DENIED = 0,
+ 		DENY_UNLESS_ACCEPTED = 1,
+diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
+index ef988b634..bf7b1f89e 100644
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -28,7 +28,6 @@
+ #include "accounting.h"
+ #include "ap_list.h"
+ #include "beacon.h"
+-#include "iapp.h"
+ #include "ieee802_1x.h"
+ #include "ieee802_11_auth.h"
+ #include "vlan_init.h"
+@@ -361,8 +360,6 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd)
+ 	hapd->beacon_set_done = 0;
+ 
+ 	wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
+-	iapp_deinit(hapd->iapp);
+-	hapd->iapp = NULL;
+ 	accounting_deinit(hapd);
+ 	hostapd_deinit_wpa(hapd);
+ 	vlan_deinit(hapd);
+@@ -1296,13 +1293,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first)
+ 		return -1;
+ 	}
+ 
+-	if (conf->ieee802_11f &&
+-	    (hapd->iapp = iapp_init(hapd, conf->iapp_iface)) == NULL) {
+-		wpa_printf(MSG_ERROR, "IEEE 802.11F (IAPP) initialization "
+-			   "failed.");
+-		return -1;
+-	}
+-
+ #ifdef CONFIG_INTERWORKING
+ 	if (gas_serv_init(hapd)) {
+ 		wpa_printf(MSG_ERROR, "GAS server initialization failed");
+@@ -3056,10 +3046,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
+ 	hostapd_prune_associations(hapd, sta->addr);
+ 	ap_sta_clear_disconnect_timeouts(hapd, sta);
+ 
+-	/* IEEE 802.11F (IAPP) */
+-	if (hapd->conf->ieee802_11f)
+-		iapp_new_station(hapd->iapp, sta);
+-
+ #ifdef CONFIG_P2P
+ 	if (sta->p2p_ie == NULL && !sta->no_p2p_set) {
+ 		sta->no_p2p_set = 1;
+diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
+index 5b859b8a9..2358d1664 100644
+--- a/src/ap/hostapd.h
++++ b/src/ap/hostapd.h
+@@ -179,8 +179,6 @@ struct hostapd_data {
+ 	u64 acct_session_id;
+ 	struct radius_das_data *radius_das;
+ 
+-	struct iapp_data *iapp;
+-
+ 	struct hostapd_cached_radius_acl *acl_cache;
+ 	struct hostapd_acl_query_data *acl_queries;
+ 
+diff --git a/src/ap/iapp.c b/src/ap/iapp.c
+deleted file mode 100644
+index 2556da30c..000000000
+--- a/src/ap/iapp.c
++++ /dev/null
+@@ -1,542 +0,0 @@
+-/*
+- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP)
+- * Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi>
+- *
+- * This software may be distributed under the terms of the BSD license.
+- * See README for more details.
+- *
+- * Note: IEEE 802.11F-2003 was a experimental use specification. It has expired
+- * and IEEE has withdrawn it. In other words, it is likely better to look at
+- * using some other mechanism for AP-to-AP communication than extending the
+- * implementation here.
+- */
+-
+-/* TODO:
+- * Level 1: no administrative or security support
+- *	(e.g., static BSSID to IP address mapping in each AP)
+- * Level 2: support for dynamic mapping of BSSID to IP address
+- * Level 3: support for encryption and authentication of IAPP messages
+- * - add support for MOVE-notify and MOVE-response (this requires support for
+- *   finding out IP address for previous AP using RADIUS)
+- * - add support for Send- and ACK-Security-Block to speedup IEEE 802.1X during
+- *   reassociation to another AP
+- * - implement counters etc. for IAPP MIB
+- * - verify endianness of fields in IAPP messages; are they big-endian as
+- *   used here?
+- * - RADIUS connection for AP registration and BSSID to IP address mapping
+- * - TCP connection for IAPP MOVE, CACHE
+- * - broadcast ESP for IAPP ADD-notify
+- * - ESP for IAPP MOVE messages
+- * - security block sending/processing
+- * - IEEE 802.11 context transfer
+- */
+-
+-#include "utils/includes.h"
+-#include <net/if.h>
+-#include <sys/ioctl.h>
+-#include <netpacket/packet.h>
+-
+-#include "utils/common.h"
+-#include "utils/eloop.h"
+-#include "common/ieee802_11_defs.h"
+-#include "hostapd.h"
+-#include "ap_config.h"
+-#include "ieee802_11.h"
+-#include "sta_info.h"
+-#include "iapp.h"
+-
+-
+-#define IAPP_MULTICAST "224.0.1.178"
+-#define IAPP_UDP_PORT 3517
+-#define IAPP_TCP_PORT 3517
+-
+-struct iapp_hdr {
+-	u8 version;
+-	u8 command;
+-	be16 identifier;
+-	be16 length;
+-	/* followed by length-6 octets of data */
+-} __attribute__ ((packed));
+-
+-#define IAPP_VERSION 0
+-
+-enum IAPP_COMMAND {
+-	IAPP_CMD_ADD_notify = 0,
+-	IAPP_CMD_MOVE_notify = 1,
+-	IAPP_CMD_MOVE_response = 2,
+-	IAPP_CMD_Send_Security_Block = 3,
+-	IAPP_CMD_ACK_Security_Block = 4,
+-	IAPP_CMD_CACHE_notify = 5,
+-	IAPP_CMD_CACHE_response = 6,
+-};
+-
+-
+-/* ADD-notify - multicast UDP on the local LAN */
+-struct iapp_add_notify {
+-	u8 addr_len; /* ETH_ALEN */
+-	u8 reserved;
+-	u8 mac_addr[ETH_ALEN];
+-	be16 seq_num;
+-} __attribute__ ((packed));
+-
+-
+-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
+-struct iapp_layer2_update {
+-	u8 da[ETH_ALEN]; /* broadcast */
+-	u8 sa[ETH_ALEN]; /* STA addr */
+-	be16 len; /* 6 */
+-	u8 dsap; /* null DSAP address */
+-	u8 ssap; /* null SSAP address, CR=Response */
+-	u8 control;
+-	u8 xid_info[3];
+-} __attribute__ ((packed));
+-
+-
+-/* MOVE-notify - unicast TCP */
+-struct iapp_move_notify {
+-	u8 addr_len; /* ETH_ALEN */
+-	u8 reserved;
+-	u8 mac_addr[ETH_ALEN];
+-	u16 seq_num;
+-	u16 ctx_block_len;
+-	/* followed by ctx_block_len bytes */
+-} __attribute__ ((packed));
+-
+-
+-/* MOVE-response - unicast TCP */
+-struct iapp_move_response {
+-	u8 addr_len; /* ETH_ALEN */
+-	u8 status;
+-	u8 mac_addr[ETH_ALEN];
+-	u16 seq_num;
+-	u16 ctx_block_len;
+-	/* followed by ctx_block_len bytes */
+-} __attribute__ ((packed));
+-
+-enum {
+-	IAPP_MOVE_SUCCESSFUL = 0,
+-	IAPP_MOVE_DENIED = 1,
+-	IAPP_MOVE_STALE_MOVE = 2,
+-};
+-
+-
+-/* CACHE-notify */
+-struct iapp_cache_notify {
+-	u8 addr_len; /* ETH_ALEN */
+-	u8 reserved;
+-	u8 mac_addr[ETH_ALEN];
+-	u16 seq_num;
+-	u8 current_ap[ETH_ALEN];
+-	u16 ctx_block_len;
+-	/* ctx_block_len bytes of context block followed by 16-bit context
+-	 * timeout */
+-} __attribute__ ((packed));
+-
+-
+-/* CACHE-response - unicast TCP */
+-struct iapp_cache_response {
+-	u8 addr_len; /* ETH_ALEN */
+-	u8 status;
+-	u8 mac_addr[ETH_ALEN];
+-	u16 seq_num;
+-} __attribute__ ((packed));
+-
+-enum {
+-	IAPP_CACHE_SUCCESSFUL = 0,
+-	IAPP_CACHE_STALE_CACHE = 1,
+-};
+-
+-
+-/* Send-Security-Block - unicast TCP */
+-struct iapp_send_security_block {
+-	u8 iv[8];
+-	u16 sec_block_len;
+-	/* followed by sec_block_len bytes of security block */
+-} __attribute__ ((packed));
+-
+-
+-/* ACK-Security-Block - unicast TCP */
+-struct iapp_ack_security_block {
+-	u8 iv[8];
+-	u8 new_ap_ack_authenticator[48];
+-} __attribute__ ((packed));
+-
+-
+-struct iapp_data {
+-	struct hostapd_data *hapd;
+-	u16 identifier; /* next IAPP identifier */
+-	struct in_addr own, multicast;
+-	int udp_sock;
+-	int packet_sock;
+-};
+-
+-
+-static void iapp_send_add(struct iapp_data *iapp, u8 *mac_addr, u16 seq_num)
+-{
+-	char buf[128];
+-	struct iapp_hdr *hdr;
+-	struct iapp_add_notify *add;
+-	struct sockaddr_in addr;
+-
+-	/* Send IAPP ADD-notify to remove possible association from other APs
+-	 */
+-
+-	hdr = (struct iapp_hdr *) buf;
+-	hdr->version = IAPP_VERSION;
+-	hdr->command = IAPP_CMD_ADD_notify;
+-	hdr->identifier = host_to_be16(iapp->identifier++);
+-	hdr->length = host_to_be16(sizeof(*hdr) + sizeof(*add));
+-
+-	add = (struct iapp_add_notify *) (hdr + 1);
+-	add->addr_len = ETH_ALEN;
+-	add->reserved = 0;
+-	os_memcpy(add->mac_addr, mac_addr, ETH_ALEN);
+-
+-	add->seq_num = host_to_be16(seq_num);
+-	
+-	os_memset(&addr, 0, sizeof(addr));
+-	addr.sin_family = AF_INET;
+-	addr.sin_addr.s_addr = iapp->multicast.s_addr;
+-	addr.sin_port = htons(IAPP_UDP_PORT);
+-	if (sendto(iapp->udp_sock, buf, (char *) (add + 1) - buf, 0,
+-		   (struct sockaddr *) &addr, sizeof(addr)) < 0)
+-		wpa_printf(MSG_INFO, "sendto[IAPP-ADD]: %s", strerror(errno));
+-}
+-
+-
+-static void iapp_send_layer2_update(struct iapp_data *iapp, u8 *addr)
+-{
+-	struct iapp_layer2_update msg;
+-
+-	/* Send Level 2 Update Frame to update forwarding tables in layer 2
+-	 * bridge devices */
+-
+-	/* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
+-	 * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
+-
+-	os_memset(msg.da, 0xff, ETH_ALEN);
+-	os_memcpy(msg.sa, addr, ETH_ALEN);
+-	msg.len = host_to_be16(6);
+-	msg.dsap = 0; /* NULL DSAP address */
+-	msg.ssap = 0x01; /* NULL SSAP address, CR Bit: Response */
+-	msg.control = 0xaf; /* XID response lsb.1111F101.
+-			     * F=0 (no poll command; unsolicited frame) */
+-	msg.xid_info[0] = 0x81; /* XID format identifier */
+-	msg.xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
+-	msg.xid_info[2] = 1 << 1; /* XID sender's receive window size (RW)
+-				   * FIX: what is correct RW with 802.11? */
+-
+-	if (send(iapp->packet_sock, &msg, sizeof(msg), 0) < 0)
+-		wpa_printf(MSG_INFO, "send[L2 Update]: %s", strerror(errno));
+-}
+-
+-
+-/**
+- * iapp_new_station - IAPP processing for a new STA
+- * @iapp: IAPP data
+- * @sta: The associated station
+- */
+-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta)
+-{
+-	u16 seq = 0; /* TODO */
+-
+-	if (iapp == NULL)
+-		return;
+-
+-	/* IAPP-ADD.request(MAC Address, Sequence Number, Timeout) */
+-	hostapd_logger(iapp->hapd, sta->addr, HOSTAPD_MODULE_IAPP,
+-		       HOSTAPD_LEVEL_DEBUG, "IAPP-ADD.request(seq=%d)", seq);
+-	iapp_send_layer2_update(iapp, sta->addr);
+-	iapp_send_add(iapp, sta->addr, seq);
+-
+-	/* TODO: If this was reassociation:
+-	 * IAPP-MOVE.request(MAC Address, Sequence Number, Old AP,
+-	 *                   Context Block, Timeout)
+-	 * TODO: Send IAPP-MOVE to the old AP; Map Old AP BSSID to
+-	 * IP address */
+-}
+-
+-
+-static void iapp_process_add_notify(struct iapp_data *iapp,
+-				    struct sockaddr_in *from,
+-				    struct iapp_hdr *hdr, int len)
+-{
+-	struct iapp_add_notify *add = (struct iapp_add_notify *) (hdr + 1);
+-	struct sta_info *sta;
+-
+-	if (len != sizeof(*add)) {
+-		wpa_printf(MSG_INFO, "Invalid IAPP-ADD packet length %d (expected %lu)",
+-			   len, (unsigned long) sizeof(*add));
+-		return;
+-	}
+-
+-	sta = ap_get_sta(iapp->hapd, add->mac_addr);
+-
+-	/* IAPP-ADD.indication(MAC Address, Sequence Number) */
+-	hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP,
+-		       HOSTAPD_LEVEL_INFO,
+-		       "Received IAPP ADD-notify (seq# %d) from %s:%d%s",
+-		       be_to_host16(add->seq_num),
+-		       inet_ntoa(from->sin_addr), ntohs(from->sin_port),
+-		       sta ? "" : " (STA not found)");
+-
+-	if (!sta)
+-		return;
+-
+-	/* TODO: could use seq_num to try to determine whether last association
+-	 * to this AP is newer than the one advertised in IAPP-ADD. Although,
+-	 * this is not really a reliable verification. */
+-
+-	hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP,
+-		       HOSTAPD_LEVEL_DEBUG,
+-		       "Removing STA due to IAPP ADD-notify");
+-	ap_sta_disconnect(iapp->hapd, sta, NULL, 0);
+-}
+-
+-
+-/**
+- * iapp_receive_udp - Process IAPP UDP frames
+- * @sock: File descriptor for the socket
+- * @eloop_ctx: IAPP data (struct iapp_data *)
+- * @sock_ctx: Not used
+- */
+-static void iapp_receive_udp(int sock, void *eloop_ctx, void *sock_ctx)
+-{
+-	struct iapp_data *iapp = eloop_ctx;
+-	int len, hlen;
+-	unsigned char buf[128];
+-	struct sockaddr_in from;
+-	socklen_t fromlen;
+-	struct iapp_hdr *hdr;
+-
+-	/* Handle incoming IAPP frames (over UDP/IP) */
+-
+-	fromlen = sizeof(from);
+-	len = recvfrom(iapp->udp_sock, buf, sizeof(buf), 0,
+-		       (struct sockaddr *) &from, &fromlen);
+-	if (len < 0) {
+-		wpa_printf(MSG_INFO, "iapp_receive_udp - recvfrom: %s",
+-			   strerror(errno));
+-		return;
+-	}
+-
+-	if (from.sin_addr.s_addr == iapp->own.s_addr)
+-		return; /* ignore own IAPP messages */
+-
+-	hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP,
+-		       HOSTAPD_LEVEL_DEBUG,
+-		       "Received %d byte IAPP frame from %s%s\n",
+-		       len, inet_ntoa(from.sin_addr),
+-		       len < (int) sizeof(*hdr) ? " (too short)" : "");
+-
+-	if (len < (int) sizeof(*hdr))
+-		return;
+-
+-	hdr = (struct iapp_hdr *) buf;
+-	hlen = be_to_host16(hdr->length);
+-	hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP,
+-		       HOSTAPD_LEVEL_DEBUG,
+-		       "RX: version=%d command=%d id=%d len=%d\n",
+-		       hdr->version, hdr->command,
+-		       be_to_host16(hdr->identifier), hlen);
+-	if (hdr->version != IAPP_VERSION) {
+-		wpa_printf(MSG_INFO, "Dropping IAPP frame with unknown version %d",
+-			   hdr->version);
+-		return;
+-	}
+-	if (hlen > len) {
+-		wpa_printf(MSG_INFO, "Underflow IAPP frame (hlen=%d len=%d)",
+-			   hlen, len);
+-		return;
+-	}
+-	if (hlen < len) {
+-		wpa_printf(MSG_INFO, "Ignoring %d extra bytes from IAPP frame",
+-			   len - hlen);
+-		len = hlen;
+-	}
+-
+-	switch (hdr->command) {
+-	case IAPP_CMD_ADD_notify:
+-		iapp_process_add_notify(iapp, &from, hdr, len - sizeof(*hdr));
+-		break;
+-	case IAPP_CMD_MOVE_notify:
+-		/* TODO: MOVE is using TCP; so move this to TCP handler once it
+-		 * is implemented.. */
+-		/* IAPP-MOVE.indication(MAC Address, New BSSID,
+-		 * Sequence Number, AP Address, Context Block) */
+-		/* TODO: process */
+-		break;
+-	default:
+-		wpa_printf(MSG_INFO, "Unknown IAPP command %d", hdr->command);
+-		break;
+-	}
+-}
+-
+-
+-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface)
+-{
+-	struct ifreq ifr;
+-	struct sockaddr_ll addr;
+-	int ifindex;
+-	struct sockaddr_in *paddr, uaddr;
+-	struct iapp_data *iapp;
+-	struct ip_mreqn mreq;
+-	int reuseaddr = 1;
+-
+-	iapp = os_zalloc(sizeof(*iapp));
+-	if (iapp == NULL)
+-		return NULL;
+-	iapp->hapd = hapd;
+-	iapp->udp_sock = iapp->packet_sock = -1;
+-
+-	/* TODO:
+-	 * open socket for sending and receiving IAPP frames over TCP
+-	 */
+-
+-	iapp->udp_sock = socket(PF_INET, SOCK_DGRAM, 0);
+-	if (iapp->udp_sock < 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - socket[PF_INET,SOCK_DGRAM]: %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-
+-	os_memset(&ifr, 0, sizeof(ifr));
+-	os_strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name));
+-	if (ioctl(iapp->udp_sock, SIOCGIFINDEX, &ifr) != 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFINDEX): %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-	ifindex = ifr.ifr_ifindex;
+-
+-	if (ioctl(iapp->udp_sock, SIOCGIFADDR, &ifr) != 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFADDR): %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-	paddr = (struct sockaddr_in *) &ifr.ifr_addr;
+-	if (paddr->sin_family != AF_INET) {
+-		wpa_printf(MSG_INFO, "IAPP: Invalid address family %i (SIOCGIFADDR)",
+-			   paddr->sin_family);
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-	iapp->own.s_addr = paddr->sin_addr.s_addr;
+-
+-	if (ioctl(iapp->udp_sock, SIOCGIFBRDADDR, &ifr) != 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFBRDADDR): %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-	paddr = (struct sockaddr_in *) &ifr.ifr_addr;
+-	if (paddr->sin_family != AF_INET) {
+-		wpa_printf(MSG_INFO, "Invalid address family %i (SIOCGIFBRDADDR)",
+-			   paddr->sin_family);
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-	inet_aton(IAPP_MULTICAST, &iapp->multicast);
+-
+-	os_memset(&uaddr, 0, sizeof(uaddr));
+-	uaddr.sin_family = AF_INET;
+-	uaddr.sin_port = htons(IAPP_UDP_PORT);
+-
+-	if (setsockopt(iapp->udp_sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,
+-		       sizeof(reuseaddr)) < 0) {
+-		wpa_printf(MSG_INFO,
+-			   "iapp_init - setsockopt[UDP,SO_REUSEADDR]: %s",
+-			   strerror(errno));
+-		/*
+-		 * Ignore this and try to continue. This is fine for single
+-		 * BSS cases, but may fail if multiple BSSes enable IAPP.
+-		 */
+-	}
+-
+-	if (bind(iapp->udp_sock, (struct sockaddr *) &uaddr,
+-		 sizeof(uaddr)) < 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - bind[UDP]: %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-
+-	os_memset(&mreq, 0, sizeof(mreq));
+-	mreq.imr_multiaddr = iapp->multicast;
+-	mreq.imr_address.s_addr = INADDR_ANY;
+-	mreq.imr_ifindex = 0;
+-	if (setsockopt(iapp->udp_sock, SOL_IP, IP_ADD_MEMBERSHIP, &mreq,
+-		       sizeof(mreq)) < 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - setsockopt[UDP,IP_ADD_MEMBERSHIP]: %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-
+-	iapp->packet_sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
+-	if (iapp->packet_sock < 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - socket[PF_PACKET,SOCK_RAW]: %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-
+-	os_memset(&addr, 0, sizeof(addr));
+-	addr.sll_family = AF_PACKET;
+-	addr.sll_ifindex = ifindex;
+-	if (bind(iapp->packet_sock, (struct sockaddr *) &addr,
+-		 sizeof(addr)) < 0) {
+-		wpa_printf(MSG_INFO, "iapp_init - bind[PACKET]: %s",
+-			   strerror(errno));
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-
+-	if (eloop_register_read_sock(iapp->udp_sock, iapp_receive_udp,
+-				     iapp, NULL)) {
+-		wpa_printf(MSG_INFO, "Could not register read socket for IAPP");
+-		iapp_deinit(iapp);
+-		return NULL;
+-	}
+-
+-	wpa_printf(MSG_INFO, "IEEE 802.11F (IAPP) using interface %s", iface);
+-
+-	/* TODO: For levels 2 and 3: send RADIUS Initiate-Request, receive
+-	 * RADIUS Initiate-Accept or Initiate-Reject. IAPP port should actually
+-	 * be openned only after receiving Initiate-Accept. If Initiate-Reject
+-	 * is received, IAPP is not started. */
+-
+-	return iapp;
+-}
+-
+-
+-void iapp_deinit(struct iapp_data *iapp)
+-{
+-	struct ip_mreqn mreq;
+-
+-	if (iapp == NULL)
+-		return;
+-
+-	if (iapp->udp_sock >= 0) {
+-		os_memset(&mreq, 0, sizeof(mreq));
+-		mreq.imr_multiaddr = iapp->multicast;
+-		mreq.imr_address.s_addr = INADDR_ANY;
+-		mreq.imr_ifindex = 0;
+-		if (setsockopt(iapp->udp_sock, SOL_IP, IP_DROP_MEMBERSHIP,
+-			       &mreq, sizeof(mreq)) < 0) {
+-			wpa_printf(MSG_INFO, "iapp_deinit - setsockopt[UDP,IP_DEL_MEMBERSHIP]: %s",
+-				   strerror(errno));
+-		}
+-
+-		eloop_unregister_read_sock(iapp->udp_sock);
+-		close(iapp->udp_sock);
+-	}
+-	if (iapp->packet_sock >= 0) {
+-		eloop_unregister_read_sock(iapp->packet_sock);
+-		close(iapp->packet_sock);
+-	}
+-	os_free(iapp);
+-}
+diff --git a/src/ap/iapp.h b/src/ap/iapp.h
+deleted file mode 100644
+index c22118342..000000000
+--- a/src/ap/iapp.h
++++ /dev/null
+@@ -1,39 +0,0 @@
+-/*
+- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP)
+- * Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi>
+- *
+- * This software may be distributed under the terms of the BSD license.
+- * See README for more details.
+- */
+-
+-#ifndef IAPP_H
+-#define IAPP_H
+-
+-struct iapp_data;
+-
+-#ifdef CONFIG_IAPP
+-
+-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta);
+-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface);
+-void iapp_deinit(struct iapp_data *iapp);
+-
+-#else /* CONFIG_IAPP */
+-
+-static inline void iapp_new_station(struct iapp_data *iapp,
+-				    struct sta_info *sta)
+-{
+-}
+-
+-static inline struct iapp_data * iapp_init(struct hostapd_data *hapd,
+-					   const char *iface)
+-{
+-	return NULL;
+-}
+-
+-static inline void iapp_deinit(struct iapp_data *iapp)
+-{
+-}
+-
+-#endif /* CONFIG_IAPP */
+-
+-#endif /* IAPP_H */
+diff --git a/src/utils/wpa_debug.h b/src/utils/wpa_debug.h
+index 1fe0b7db7..c94c4391f 100644
+--- a/src/utils/wpa_debug.h
++++ b/src/utils/wpa_debug.h
+@@ -305,7 +305,6 @@ void hostapd_logger_register_cb(hostapd_logger_cb_func func);
+ #define HOSTAPD_MODULE_RADIUS		0x00000004
+ #define HOSTAPD_MODULE_WPA		0x00000008
+ #define HOSTAPD_MODULE_DRIVER		0x00000010
+-#define HOSTAPD_MODULE_IAPP		0x00000020
+ #define HOSTAPD_MODULE_MLME		0x00000040
+ 
+ enum hostapd_logger_level {
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index 68dc1237025..1f38eee0ffe 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -12,6 +12,7 @@ SRC_URI = " \
     file://init \
     file://hostapd.service \
     file://CVE-2019-16275.patch \
+    file://CVE-2019-5061.patch \
 "
 
 SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"
-- 
2.17.1

[gatesgarth 6/6] hostapd: fix CVE-2021-0326 and CVE-2021-27803

[akuster]

From: Mingli Yu <mingli.yu@windriver.com>

Backport 2 patches to fix two CVEs.

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5a085c588adaf79bb2bca7921c82d893877b28a1)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../hostapd/hostapd/CVE-2021-0326.patch       | 43 +++++++++++++++
 .../hostapd/hostapd/CVE-2021-27803.patch      | 54 +++++++++++++++++++
 .../hostapd/hostapd_2.9.bb                    |  2 +
 3 files changed, 99 insertions(+)
 create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
 create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch

diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
new file mode 100644
index 00000000000..54c405b539c
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
@@ -0,0 +1,43 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+
+CVE: CVE-2021-0326
+
+Upstream-Status: Backport
+
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index 74b7b52ae..5cbfc217f 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+ 	dev->info.config_methods = cli->config_methods;
+ 	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+ 	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
++	if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
++		dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+ 	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+ 		  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
new file mode 100644
index 00000000000..fedff76b180
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
@@ -0,0 +1,54 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+CVE: CVE-2021-27803
+
+Upstream-Status: Backport
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec03f..05fd59349 100644
+--- a/src/p2p/p2p_pd.c
++++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+ 			goto out;
+ 		}
+ 
++		dev = p2p_get_device(p2p, sa);
+ 		if (!dev) {
+-			dev = p2p_get_device(p2p, sa);
+-			if (!dev) {
+-				p2p_dbg(p2p,
+-					"Provision Discovery device not found "
+-					MACSTR, MAC2STR(sa));
+-				goto out;
+-			}
++			p2p_dbg(p2p,
++				"Provision Discovery device not found "
++				MACSTR, MAC2STR(sa));
++			goto out;
+ 		}
+ 	} else if (msg.wfd_subelems) {
+ 		wpabuf_free(dev->info.wfd_subelems);
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index 1f38eee0ffe..87899f3da20 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -13,6 +13,8 @@ SRC_URI = " \
     file://hostapd.service \
     file://CVE-2019-16275.patch \
     file://CVE-2019-5061.patch \
+    file://CVE-2021-0326.patch \
+    file://CVE-2021-27803.patch \
 "
 
 SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"
-- 
2.17.1

Re: [oe] [gatesgarth 0/6] patch review Arpil 10th

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]

On Sat, Apr 10, 2021 at 07:29:28AM -0700, akuster wrote:
> Please have comments back by Sunday
> 
> The following changes since commit 317c2dd540c84556127ad07739c0c930a0741b50:
> 
>   packagegroup-meta-multimedia: include projucer only with x11 in DISTRO_FEATURES (2021-04-04 12:39:22 -0700)
> 
> are available in the Git repository at:
> 
>   git://git.openembedded.org/meta-openembedded-contrib stable/gatesgarth-nut
>   http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/gatesgarth-nut
> 
> Kartikey Rameshbhai Parmar (1):
>   fluidsynth: update SRC_URI to remove non-existing 2.1.x branch
> 
> Martin Jansa (2):
>   libsmi: use /bin/sh instead of ${base_bindir}/sh to silence QA error
>     with usrmerge
>   libyui: switch to libyui-old repo which still has this SRCREV

Acked-by: Martin Jansa <Martin.Jansa@gmail.com>

FWIW: contrib/stable/dunfell-nut contains 2 more commits which aren't included here:

penembedded$ git log --oneline contrib/stable/dunfell-nut
95ace3c621 (contrib/stable/dunfell-nut) libyui: switch to libyui-old repo which still has this SRCREV
144b07682a telepathy-glib: respect GI_DATA_ENABLED when enabling vala-bindings
1097d3cc70 uml-utilities: fix installed-vs-shipped with usrmerge

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 201 bytes --]