{"id":2223061,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2223061/?format=json","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.0/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<5A981576945DE54A+20260414095446.367922-1-wangxinpeng@uniontech.com>","date":"2026-04-14T09:54:46","name":"[v2] eap_peer: Ignore Identity heartbeats in round counting","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"463536eef404dc437895c36e27187afae1bec2dd","submitter":{"id":82178,"url":"http://patchwork.ozlabs.org/api/1.0/people/82178/?format=json","name":"xinpeng wang","email":"wangxinpeng@uniontech.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/5A981576945DE54A+20260414095446.367922-1-wangxinpeng@uniontech.com/mbox/","series":[{"id":499809,"url":"http://patchwork.ozlabs.org/api/1.0/series/499809/?format=json","date":"2026-04-14T09:54:46","name":"[v2] eap_peer: Ignore Identity heartbeats in round counting","version":2,"mbox":"http://patchwork.ozlabs.org/series/499809/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223061/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Z0b4ACNi;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=uniontech.com header.i=@uniontech.com\n header.a=rsa-sha256 header.s=onoh2408 header.b=h/QDwVGm;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fw06836v9z1xtJ\n\tfor ; Tue, 14 Apr 2026 19:56:11 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCaUQ-0000000H5fF-3fXb;\n\tTue, 14 Apr 2026 09:55:26 +0000","from smtpbg150.qq.com ([18.132.163.193])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wCaUN-0000000H5eH-2kKl\n\tfor hostap@lists.infradead.org;\n\tTue, 14 Apr 2026 09:55:25 +0000","from PEN202512100003 ( [localhost])\n\tby bizesmtp.qq.com (ESMTP) with\n\tid ; Tue, 14 Apr 2026 17:54:55 +0800 (CST)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=HYooC9IN3c+lTCfF+7u+aThvgN8qyJyCAyhjquruR1o=; b=Z0b4ACNi9AAFkK\n\tA2XrGTNCXSBL+Xr3venfh2QFnvFOV1U+5WBbA6BQr9XZruH6j6qYJd7t8vzXe9BE8I7zCBwN33Z+O\n\tKaKpc+5kmsDjGUkbSJtiXRXfB98cysTq2/c0Fm42yw0UC56Wi+l8znG65f6TNmnTj9k98S9dEYh7R\n\tivjSRNayOoAkuexlWgeHa8BchIWSntAtJaMvXrzaHMw2BYU0Ln+8LQC63CJZJpGufnW3cOoUX8JSb\n\trHP9h9y0KabDH1YzYotbUuYetavqUV9Yhc0yOrKPObchakcHp0zckDr4SbQoJHCHBxqfa1EufY0Py\n\taxd93irPRJANSV7tqWTQ==;","v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniontech.com;\n\ts=onoh2408; t=1776160507;\n\tbh=WzrvnngZQ3Vis582l8tHZPN/+YhHSm5+XTyQEOsXQEo=;\n\th=From:To:Subject:Date:Message-ID:MIME-Version;\n\tb=h/QDwVGmpoykTRyAxsWPeJJcxf0jy4E3nAVWwXj3Mk/gewbOOTiWS01wHtBpkyAZB\n\t 6LeD2PlJ77btx07x4beakRg91Sk4opLqb2/Ikj8utxtTNUGKVACqJtVPxNTRRQiHEx\n\t 2DLV77NrHJkamZVNqGQfu09DyCXNJIKR+gCmxcdE="],"X-QQ-mid":"zesmtpip4t1776160502t0582380f","X-QQ-Originating-IP":"1NfywcV8JSqfIpJi78ZtqJqwhoEKl/isrc4YBDsiSUM=","X-QQ-SSF":"0000000000000000000000000000000","X-QQ-GoodBg":"0","X-BIZMAIL-ID":"9585792897074817768","EX-QQ-RecipientCnt":"3","From":"xinpeng wang ","To":"hostap@lists.infradead.org","Cc":"j@w1.fi,\n\txinpeng wang ","Subject":"[PATCH v2] eap_peer: Ignore Identity heartbeats in round counting","Date":"Tue, 14 Apr 2026 17:54:46 +0800","Message-ID":"\n <5A981576945DE54A+20260414095446.367922-1-wangxinpeng@uniontech.com>","X-Mailer":"git-send-email 2.50.1","In-Reply-To":"\n ","References":"\n ","MIME-Version":"1.0","X-QQ-SENDSIZE":"520","Feedback-ID":"zesmtpip:uniontech.com:qybglogicsvrgz:qybglogicsvrgz3a-0","X-QQ-XMAILINFO":"M9NnLm3GdbLb7QgIb3nCjwUFS4+39mzrrG5f+jdcS42MuLLheWHz6iTB\n\tTBSZOmr8bPoD18lZGP9tpTY+OZvit3w8ZtQn+PcapUpNn0QT9IqKkMgTcR319hRbyhvZqkr\n\tBdJZuam9C8333aI9FQ8mq2qZuh+Q1xoSOSSBRSsJdjsnzPwVFWjrgycgOptvQM6GQkm/rwz\n\tbSUTfnpMhrFnwPDJljSdWJB7pxsmOCABBvExb55oAw048ARfKxFcchr+5bbBgxhCYC7GTLG\n\tz1ZbUB8AiMYaFdlFycGYfI3sduZWmItwofYLZCRxVz+Bsfy7S3HJAwA9ymGyU55e4tT2yOB\n\tU4gnrE2QNBtzGrCLW428WV9VmM4U2Ago1YYY6MhyyU8ulmnPVKso2WSBlroOgWjAgrlsGV2\n\tmk9wWikgVU2u5J0rqLBhQDtd2ojMhU3nrlMXOn051Bq8m8oV7Ux5anMeQKtBNtARwnxX8hv\n\t3Qeh4MezFgMlXxJTQTV86Pk4UxckuohXMl/TC8wH2PV5f/cfosmDPVRX+IsxKKU5wnh3IGX\n\tlH6Ju3Poah3BuyeUT3p3sR8BJZptrwIT3yhEr1+3vJI9mxwK/kiRCOLCrz3PcA6AJXS0Snn\n\tFqK2qjn/59RId9tZl20IMADM43RETEtLdsW5pvEqXLjak0dvqkKkd04pnIwARbpk1Q9+O7l\n\tZRFWMgKctQs3MyH5RMQSZ7E3+277GBNdne+0WyvYu2APzolQmX+Z54wtGxcPU6V9o6uvYDz\n\tJVGHa4gcn3qSusbJLnmgBG6Z6B3tvsVYpqIFJxVNfU1WUvLOFTCFIyPD4Gb2QbZl45GkERc\n\tKNm6ZAKeWuHT5JXY0A5HowqAg20bo0scU+FzVKKxiqBLWWkmRY7j0WWLLbgF8dtNC/xVKoE\n\t+dnFonEn31OrIN7OmKlnTR6PSbviDi4/LPJHAzz/oKf/trXGeUNjMEkQXtGr2lBdST71SOk\n\toQtvwiDBpaVufYc539FnUAyC6BylykQQL/tzH9mt641j6r7nWbBOYCGtREyQTf/v/age+tU\n\tVUSdXvEA==","X-QQ-XMRINFO":"OD9hHCdaPRBwH5bRRRw8tsiH4UAatJqXfg==","X-QQ-RECHKSPAM":"0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260414_025524_499082_52D2218F ","X-CRM114-Status":"GOOD ( 13.29 )","X-Spam-Score":"-2.1 (--)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: In many wired 802.1X network environments,\n the Authenticator\n sends periodic EAP-Request/Identity messages as a non-standard keep-alive\n mechanism after a successful authentication. Since these Identity Requests\n are often short messages (< 20 bytes),\n they consistently increment 'num_rounds_short'\n without being reset by any interleaved long messages. This eventually\n causes\n the EAP [...]\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no\n trust\n [18.132.163.193 listed in list.dnswl.org]\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [18.132.163.193 listed in\n sa-trusted.bondedsender.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [18.132.163.193 listed in sa-accredit.habeas.com]\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.0 SPF_HELO_PASS SPF: HELO matches SPF record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)\n [18.132.163.193 listed in wl.mailspike.net]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [18.132.163.193 listed in\n bl.score.senderscore.com]\n 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders\n 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay\n lines","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" ","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"In many wired 802.1X network environments, the Authenticator sends\nperiodic EAP-Request/Identity messages as a non-standard keep-alive\nmechanism after a successful authentication.\n\nSince these Identity Requests are often short messages (< 20 bytes),\nthey consistently increment 'num_rounds_short' without being reset\nby any interleaved long messages. This eventually causes the EAP state\nmachine to exceed EAP_MAX_AUTH_ROUNDS_SHORT and transition to the\nFAILURE state. While the network may remain connected, this leads to\nspurious EAP failure logs and unnecessary state transitions.\n\nModify the round-trip counting logic in SM_STATE(EAP, RECEIVED) to\nexclude Identity Requests when no EAP method is currently selected.\nThis prevents the counter from overflowing due to network probing\nor keep-alive messages, while still maintaining protection against\nprotocol loops during active EAP method negotiation.\n\nSigned-off-by: xinpeng wang \n---\nThanks for your review, Jouni. Here is the v2 addressing your comments.\nChanges since v1:\n- Updated the commit message to accurately describe the logic.\n- Answered Jouni's questions: This is for wired PEAP environments where \n switches use Identity Requests as keep-alives.\n- Removed the unrelated change to log levels.\n\n src/eap_peer/eap.c | 24 +++++++++++++++++++-----\n 1 file changed, 19 insertions(+), 5 deletions(-)","diff":"diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c\nindex 935286242..9453a051e 100644\n--- a/src/eap_peer/eap.c\n+++ b/src/eap_peer/eap.c\n@@ -313,11 +313,25 @@ SM_STATE(EAP, RECEIVED)\n \teapReqData = eapol_get_eapReqData(sm);\n \t/* parse rxReq, rxSuccess, rxFailure, reqId, reqMethod */\n \teap_sm_parseEapReq(sm, eapReqData);\n-\tsm->num_rounds++;\n-\tif (!eapReqData || wpabuf_len(eapReqData) < 20)\n-\t\tsm->num_rounds_short++;\n-\telse\n-\t\tsm->num_rounds_short = 0;\n+\n+\t/*\n+\t * Only increment the round counters if:\n+\t * 1. The request is not an EAP-Identity (i.e., it's a specific EAP method).\n+\t * 2. Or, an EAP method has already been selected (i.e., we are in the\n+\t * middle of a negotiation session).\n+\t *\n+\t * This avoids incrementing counters for periodic Identity Requests used\n+\t * as keep-alive mechanisms in some wired 802.1X networks. Without this,\n+\t * repeated short Identity heartbeats would eventually trigger a spurious\n+\t * EAP failure after exceeding EAP_MAX_AUTH_ROUNDS_SHORT.\n+\t */\n+\tif (sm->selectedMethod != EAP_TYPE_NONE || sm->reqMethod != EAP_TYPE_IDENTITY) {\n+\t\tsm->num_rounds++;\n+\t\tif (!eapReqData || wpabuf_len(eapReqData) < 20)\n+\t\t\tsm->num_rounds_short++;\n+\t\telse\n+\t\t\tsm->num_rounds_short = 0;\n+\t}\n }\n \n \n","prefixes":["v2"]}