diff mbox series

[v2] eapol: ignore response in workarond mode

Message ID 20240319082626.19128-1-wangxinpeng@uniontech.com
State New
Headers show
Series [v2] eapol: ignore response in workarond mode | expand

Commit Message

xinpeng wang March 19, 2024, 8:26 a.m. UTC 
During eap authentication, the supplier sends the response to the address
01:80:c2:00:00:03, the PAE group address.
Some switches will broadcast messages sent to this address, which will
cause the devices under the same switch to receive these response packets,
which will cause the device's eap state machine to migrate incorrectly,
resulting in repeated authentication or slow authentication.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
---
 src/eapol_supp/eapol_supp_sm.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
diff mbox series

Patch

diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
index abc1416a3..e5a8cc6ff 100644
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@@ -1365,6 +1365,25 @@  int eapol_sm_rx_eapol(struct eapol_sm *sm, const u8 *src, const u8 *buf,
 				wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with unknown code 10");
 				break;
 			}
+
+			if (plen >= sizeof(*ehdr) && ehdr->code == EAP_CODE_RESPONSE) {
+				const u8 *pos_tmp = (const u8 *) (ehdr + 1);
+				enum eap_type eap_type;
+				if (*pos_tmp != EAP_TYPE_EXPANDED) {
+					eap_type = *pos_tmp;
+				} else {
+					if (plen < sizeof(*ehdr) + 8) {
+						wpa_printf(MSG_INFO, "EAP: Invalid expanded EAP length");
+						break;
+					}
+					pos_tmp += 4;
+					eap_type = WPA_GET_BE32(pos_tmp);
+				}
+				if (eap_type != EAP_TYPE_LEAP) {
+					wpa_printf(MSG_DEBUG, "EAPOL: Ignore EAP packet with response");
+					break;
+				}
+			}
 		}
 
 		if (sm->cached_pmk) {