xref: /freebsd/contrib/wpa/wpa_supplicant/bss.c (revision da5069e1f7daaef1e7157876d6044de6f3a08ce2)
1 /*
2  * BSS table
3  * Copyright (c) 2009-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "drivers/driver.h"
15 #include "eap_peer/eap.h"
16 #include "wpa_supplicant_i.h"
17 #include "config.h"
18 #include "notify.h"
19 #include "scan.h"
20 #include "bss.h"
21 
22 
23 #define WPA_BSS_FREQ_CHANGED_FLAG	BIT(0)
24 #define WPA_BSS_SIGNAL_CHANGED_FLAG	BIT(1)
25 #define WPA_BSS_PRIVACY_CHANGED_FLAG	BIT(2)
26 #define WPA_BSS_MODE_CHANGED_FLAG	BIT(3)
27 #define WPA_BSS_WPAIE_CHANGED_FLAG	BIT(4)
28 #define WPA_BSS_RSNIE_CHANGED_FLAG	BIT(5)
29 #define WPA_BSS_WPS_CHANGED_FLAG	BIT(6)
30 #define WPA_BSS_RATES_CHANGED_FLAG	BIT(7)
31 #define WPA_BSS_IES_CHANGED_FLAG	BIT(8)
32 
33 
34 static void wpa_bss_set_hessid(struct wpa_bss *bss)
35 {
36 #ifdef CONFIG_INTERWORKING
37 	const u8 *ie = wpa_bss_get_ie(bss, WLAN_EID_INTERWORKING);
38 	if (ie == NULL || (ie[1] != 7 && ie[1] != 9)) {
39 		os_memset(bss->hessid, 0, ETH_ALEN);
40 		return;
41 	}
42 	if (ie[1] == 7)
43 		os_memcpy(bss->hessid, ie + 3, ETH_ALEN);
44 	else
45 		os_memcpy(bss->hessid, ie + 5, ETH_ALEN);
46 #endif /* CONFIG_INTERWORKING */
47 }
48 
49 
50 /**
51  * wpa_bss_anqp_alloc - Allocate ANQP data structure for a BSS entry
52  * Returns: Allocated ANQP data structure or %NULL on failure
53  *
54  * The allocated ANQP data structure has its users count set to 1. It may be
55  * shared by multiple BSS entries and each shared entry is freed with
56  * wpa_bss_anqp_free().
57  */
58 struct wpa_bss_anqp * wpa_bss_anqp_alloc(void)
59 {
60 	struct wpa_bss_anqp *anqp;
61 	anqp = os_zalloc(sizeof(*anqp));
62 	if (anqp == NULL)
63 		return NULL;
64 #ifdef CONFIG_INTERWORKING
65 	dl_list_init(&anqp->anqp_elems);
66 #endif /* CONFIG_INTERWORKING */
67 	anqp->users = 1;
68 	return anqp;
69 }
70 
71 
72 /**
73  * wpa_bss_anqp_clone - Clone an ANQP data structure
74  * @anqp: ANQP data structure from wpa_bss_anqp_alloc()
75  * Returns: Cloned ANQP data structure or %NULL on failure
76  */
77 static struct wpa_bss_anqp * wpa_bss_anqp_clone(struct wpa_bss_anqp *anqp)
78 {
79 	struct wpa_bss_anqp *n;
80 
81 	n = os_zalloc(sizeof(*n));
82 	if (n == NULL)
83 		return NULL;
84 
85 #define ANQP_DUP(f) if (anqp->f) n->f = wpabuf_dup(anqp->f)
86 #ifdef CONFIG_INTERWORKING
87 	dl_list_init(&n->anqp_elems);
88 	ANQP_DUP(capability_list);
89 	ANQP_DUP(venue_name);
90 	ANQP_DUP(network_auth_type);
91 	ANQP_DUP(roaming_consortium);
92 	ANQP_DUP(ip_addr_type_availability);
93 	ANQP_DUP(nai_realm);
94 	ANQP_DUP(anqp_3gpp);
95 	ANQP_DUP(domain_name);
96 	ANQP_DUP(fils_realm_info);
97 #endif /* CONFIG_INTERWORKING */
98 #ifdef CONFIG_HS20
99 	ANQP_DUP(hs20_capability_list);
100 	ANQP_DUP(hs20_operator_friendly_name);
101 	ANQP_DUP(hs20_wan_metrics);
102 	ANQP_DUP(hs20_connection_capability);
103 	ANQP_DUP(hs20_operating_class);
104 	ANQP_DUP(hs20_osu_providers_list);
105 	ANQP_DUP(hs20_operator_icon_metadata);
106 	ANQP_DUP(hs20_osu_providers_nai_list);
107 #endif /* CONFIG_HS20 */
108 #undef ANQP_DUP
109 
110 	return n;
111 }
112 
113 
114 /**
115  * wpa_bss_anqp_unshare_alloc - Unshare ANQP data (if shared) in a BSS entry
116  * @bss: BSS entry
117  * Returns: 0 on success, -1 on failure
118  *
119  * This function ensures the specific BSS entry has an ANQP data structure that
120  * is not shared with any other BSS entry.
121  */
122 int wpa_bss_anqp_unshare_alloc(struct wpa_bss *bss)
123 {
124 	struct wpa_bss_anqp *anqp;
125 
126 	if (bss->anqp && bss->anqp->users > 1) {
127 		/* allocated, but shared - clone an unshared copy */
128 		anqp = wpa_bss_anqp_clone(bss->anqp);
129 		if (anqp == NULL)
130 			return -1;
131 		anqp->users = 1;
132 		bss->anqp->users--;
133 		bss->anqp = anqp;
134 		return 0;
135 	}
136 
137 	if (bss->anqp)
138 		return 0; /* already allocated and not shared */
139 
140 	/* not allocated - allocate a new storage area */
141 	bss->anqp = wpa_bss_anqp_alloc();
142 	return bss->anqp ? 0 : -1;
143 }
144 
145 
146 /**
147  * wpa_bss_anqp_free - Free an ANQP data structure
148  * @anqp: ANQP data structure from wpa_bss_anqp_alloc() or wpa_bss_anqp_clone()
149  */
150 static void wpa_bss_anqp_free(struct wpa_bss_anqp *anqp)
151 {
152 #ifdef CONFIG_INTERWORKING
153 	struct wpa_bss_anqp_elem *elem;
154 #endif /* CONFIG_INTERWORKING */
155 
156 	if (anqp == NULL)
157 		return;
158 
159 	anqp->users--;
160 	if (anqp->users > 0) {
161 		/* Another BSS entry holds a pointer to this ANQP info */
162 		return;
163 	}
164 
165 #ifdef CONFIG_INTERWORKING
166 	wpabuf_free(anqp->capability_list);
167 	wpabuf_free(anqp->venue_name);
168 	wpabuf_free(anqp->network_auth_type);
169 	wpabuf_free(anqp->roaming_consortium);
170 	wpabuf_free(anqp->ip_addr_type_availability);
171 	wpabuf_free(anqp->nai_realm);
172 	wpabuf_free(anqp->anqp_3gpp);
173 	wpabuf_free(anqp->domain_name);
174 	wpabuf_free(anqp->fils_realm_info);
175 
176 	while ((elem = dl_list_first(&anqp->anqp_elems,
177 				     struct wpa_bss_anqp_elem, list))) {
178 		dl_list_del(&elem->list);
179 		wpabuf_free(elem->payload);
180 		os_free(elem);
181 	}
182 #endif /* CONFIG_INTERWORKING */
183 #ifdef CONFIG_HS20
184 	wpabuf_free(anqp->hs20_capability_list);
185 	wpabuf_free(anqp->hs20_operator_friendly_name);
186 	wpabuf_free(anqp->hs20_wan_metrics);
187 	wpabuf_free(anqp->hs20_connection_capability);
188 	wpabuf_free(anqp->hs20_operating_class);
189 	wpabuf_free(anqp->hs20_osu_providers_list);
190 	wpabuf_free(anqp->hs20_operator_icon_metadata);
191 	wpabuf_free(anqp->hs20_osu_providers_nai_list);
192 #endif /* CONFIG_HS20 */
193 
194 	os_free(anqp);
195 }
196 
197 
198 static void wpa_bss_update_pending_connect(struct wpa_supplicant *wpa_s,
199 					   struct wpa_bss *old_bss,
200 					   struct wpa_bss *new_bss)
201 {
202 	struct wpa_radio_work *work;
203 	struct wpa_connect_work *cwork;
204 
205 	work = radio_work_pending(wpa_s, "sme-connect");
206 	if (!work)
207 		work = radio_work_pending(wpa_s, "connect");
208 	if (!work)
209 		return;
210 
211 	cwork = work->ctx;
212 	if (cwork->bss != old_bss)
213 		return;
214 
215 	wpa_printf(MSG_DEBUG,
216 		   "Update BSS pointer for the pending connect radio work");
217 	cwork->bss = new_bss;
218 	if (!new_bss)
219 		cwork->bss_removed = 1;
220 }
221 
222 
223 void wpa_bss_remove(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
224 		    const char *reason)
225 {
226 	if (wpa_s->last_scan_res) {
227 		unsigned int i;
228 		for (i = 0; i < wpa_s->last_scan_res_used; i++) {
229 			if (wpa_s->last_scan_res[i] == bss) {
230 				os_memmove(&wpa_s->last_scan_res[i],
231 					   &wpa_s->last_scan_res[i + 1],
232 					   (wpa_s->last_scan_res_used - i - 1)
233 					   * sizeof(struct wpa_bss *));
234 				wpa_s->last_scan_res_used--;
235 				break;
236 			}
237 		}
238 	}
239 	wpa_bss_update_pending_connect(wpa_s, bss, NULL);
240 	dl_list_del(&bss->list);
241 	dl_list_del(&bss->list_id);
242 	wpa_s->num_bss--;
243 	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Remove id %u BSSID " MACSTR
244 		" SSID '%s' due to %s", bss->id, MAC2STR(bss->bssid),
245 		wpa_ssid_txt(bss->ssid, bss->ssid_len), reason);
246 	wpas_notify_bss_removed(wpa_s, bss->bssid, bss->id);
247 	wpa_bss_anqp_free(bss->anqp);
248 	os_free(bss);
249 }
250 
251 
252 /**
253  * wpa_bss_get - Fetch a BSS table entry based on BSSID and SSID
254  * @wpa_s: Pointer to wpa_supplicant data
255  * @bssid: BSSID
256  * @ssid: SSID
257  * @ssid_len: Length of @ssid
258  * Returns: Pointer to the BSS entry or %NULL if not found
259  */
260 struct wpa_bss * wpa_bss_get(struct wpa_supplicant *wpa_s, const u8 *bssid,
261 			     const u8 *ssid, size_t ssid_len)
262 {
263 	struct wpa_bss *bss;
264 	if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
265 		return NULL;
266 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
267 		if (os_memcmp(bss->bssid, bssid, ETH_ALEN) == 0 &&
268 		    bss->ssid_len == ssid_len &&
269 		    os_memcmp(bss->ssid, ssid, ssid_len) == 0)
270 			return bss;
271 	}
272 	return NULL;
273 }
274 
275 
276 void calculate_update_time(const struct os_reltime *fetch_time,
277 			   unsigned int age_ms,
278 			   struct os_reltime *update_time)
279 {
280 	os_time_t usec;
281 
282 	update_time->sec = fetch_time->sec;
283 	update_time->usec = fetch_time->usec;
284 	update_time->sec -= age_ms / 1000;
285 	usec = (age_ms % 1000) * 1000;
286 	if (update_time->usec < usec) {
287 		update_time->sec--;
288 		update_time->usec += 1000000;
289 	}
290 	update_time->usec -= usec;
291 }
292 
293 
294 static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
295 			     struct os_reltime *fetch_time)
296 {
297 	dst->flags = src->flags;
298 	os_memcpy(dst->bssid, src->bssid, ETH_ALEN);
299 	dst->freq = src->freq;
300 	dst->beacon_int = src->beacon_int;
301 	dst->caps = src->caps;
302 	dst->qual = src->qual;
303 	dst->noise = src->noise;
304 	dst->level = src->level;
305 	dst->tsf = src->tsf;
306 	dst->est_throughput = src->est_throughput;
307 	dst->snr = src->snr;
308 
309 	calculate_update_time(fetch_time, src->age, &dst->last_update);
310 }
311 
312 
313 static int wpa_bss_is_wps_candidate(struct wpa_supplicant *wpa_s,
314 				    struct wpa_bss *bss)
315 {
316 #ifdef CONFIG_WPS
317 	struct wpa_ssid *ssid;
318 	struct wpabuf *wps_ie;
319 	int pbc = 0, ret;
320 
321 	wps_ie = wpa_bss_get_vendor_ie_multi(bss, WPS_IE_VENDOR_TYPE);
322 	if (!wps_ie)
323 		return 0;
324 
325 	if (wps_is_selected_pbc_registrar(wps_ie)) {
326 		pbc = 1;
327 	} else if (!wps_is_addr_authorized(wps_ie, wpa_s->own_addr, 1)) {
328 		wpabuf_free(wps_ie);
329 		return 0;
330 	}
331 
332 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
333 		if (!(ssid->key_mgmt & WPA_KEY_MGMT_WPS))
334 			continue;
335 		if (ssid->ssid_len &&
336 		    (ssid->ssid_len != bss->ssid_len ||
337 		     os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) != 0))
338 			continue;
339 
340 		if (pbc)
341 			ret = eap_is_wps_pbc_enrollee(&ssid->eap);
342 		else
343 			ret = eap_is_wps_pin_enrollee(&ssid->eap);
344 		wpabuf_free(wps_ie);
345 		return ret;
346 	}
347 	wpabuf_free(wps_ie);
348 #endif /* CONFIG_WPS */
349 
350 	return 0;
351 }
352 
353 
354 static int wpa_bss_known(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
355 {
356 	struct wpa_ssid *ssid;
357 
358 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
359 		if (ssid->ssid == NULL || ssid->ssid_len == 0)
360 			continue;
361 		if (ssid->ssid_len == bss->ssid_len &&
362 		    os_memcmp(ssid->ssid, bss->ssid, ssid->ssid_len) == 0)
363 			return 1;
364 	}
365 
366 	return 0;
367 }
368 
369 
370 static int wpa_bss_in_use(struct wpa_supplicant *wpa_s, struct wpa_bss *bss)
371 {
372 	if (bss == wpa_s->current_bss)
373 		return 1;
374 
375 	if (wpa_s->current_bss &&
376 	    (bss->ssid_len != wpa_s->current_bss->ssid_len ||
377 	     os_memcmp(bss->ssid, wpa_s->current_bss->ssid,
378 		       bss->ssid_len) != 0))
379 		return 0; /* SSID has changed */
380 
381 	return !is_zero_ether_addr(bss->bssid) &&
382 		(os_memcmp(bss->bssid, wpa_s->bssid, ETH_ALEN) == 0 ||
383 		 os_memcmp(bss->bssid, wpa_s->pending_bssid, ETH_ALEN) == 0);
384 }
385 
386 
387 static int wpa_bss_remove_oldest_unknown(struct wpa_supplicant *wpa_s)
388 {
389 	struct wpa_bss *bss;
390 
391 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
392 		if (!wpa_bss_known(wpa_s, bss) &&
393 		    !wpa_bss_is_wps_candidate(wpa_s, bss)) {
394 			wpa_bss_remove(wpa_s, bss, __func__);
395 			return 0;
396 		}
397 	}
398 
399 	return -1;
400 }
401 
402 
403 static int wpa_bss_remove_oldest(struct wpa_supplicant *wpa_s)
404 {
405 	struct wpa_bss *bss;
406 
407 	/*
408 	 * Remove the oldest entry that does not match with any configured
409 	 * network.
410 	 */
411 	if (wpa_bss_remove_oldest_unknown(wpa_s) == 0)
412 		return 0;
413 
414 	/*
415 	 * Remove the oldest entry that isn't currently in use.
416 	 */
417 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
418 		if (!wpa_bss_in_use(wpa_s, bss)) {
419 			wpa_bss_remove(wpa_s, bss, __func__);
420 			return 0;
421 		}
422 	}
423 
424 	return -1;
425 }
426 
427 
428 static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s,
429 				    const u8 *ssid, size_t ssid_len,
430 				    struct wpa_scan_res *res,
431 				    struct os_reltime *fetch_time)
432 {
433 	struct wpa_bss *bss;
434 
435 	bss = os_zalloc(sizeof(*bss) + res->ie_len + res->beacon_ie_len);
436 	if (bss == NULL)
437 		return NULL;
438 	bss->id = wpa_s->bss_next_id++;
439 	bss->last_update_idx = wpa_s->bss_update_idx;
440 	wpa_bss_copy_res(bss, res, fetch_time);
441 	os_memcpy(bss->ssid, ssid, ssid_len);
442 	bss->ssid_len = ssid_len;
443 	bss->ie_len = res->ie_len;
444 	bss->beacon_ie_len = res->beacon_ie_len;
445 	os_memcpy(bss + 1, res + 1, res->ie_len + res->beacon_ie_len);
446 	wpa_bss_set_hessid(bss);
447 
448 	if (wpa_s->num_bss + 1 > wpa_s->conf->bss_max_count &&
449 	    wpa_bss_remove_oldest(wpa_s) != 0) {
450 		wpa_printf(MSG_ERROR, "Increasing the MAX BSS count to %d "
451 			   "because all BSSes are in use. We should normally "
452 			   "not get here!", (int) wpa_s->num_bss + 1);
453 		wpa_s->conf->bss_max_count = wpa_s->num_bss + 1;
454 	}
455 
456 	dl_list_add_tail(&wpa_s->bss, &bss->list);
457 	dl_list_add_tail(&wpa_s->bss_id, &bss->list_id);
458 	wpa_s->num_bss++;
459 	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Add new id %u BSSID " MACSTR
460 		" SSID '%s' freq %d",
461 		bss->id, MAC2STR(bss->bssid), wpa_ssid_txt(ssid, ssid_len),
462 		bss->freq);
463 	wpas_notify_bss_added(wpa_s, bss->bssid, bss->id);
464 	return bss;
465 }
466 
467 
468 static int are_ies_equal(const struct wpa_bss *old,
469 			 const struct wpa_scan_res *new_res, u32 ie)
470 {
471 	const u8 *old_ie, *new_ie;
472 	struct wpabuf *old_ie_buff = NULL;
473 	struct wpabuf *new_ie_buff = NULL;
474 	int new_ie_len, old_ie_len, ret, is_multi;
475 
476 	switch (ie) {
477 	case WPA_IE_VENDOR_TYPE:
478 		old_ie = wpa_bss_get_vendor_ie(old, ie);
479 		new_ie = wpa_scan_get_vendor_ie(new_res, ie);
480 		is_multi = 0;
481 		break;
482 	case WPS_IE_VENDOR_TYPE:
483 		old_ie_buff = wpa_bss_get_vendor_ie_multi(old, ie);
484 		new_ie_buff = wpa_scan_get_vendor_ie_multi(new_res, ie);
485 		is_multi = 1;
486 		break;
487 	case WLAN_EID_RSN:
488 	case WLAN_EID_SUPP_RATES:
489 	case WLAN_EID_EXT_SUPP_RATES:
490 		old_ie = wpa_bss_get_ie(old, ie);
491 		new_ie = wpa_scan_get_ie(new_res, ie);
492 		is_multi = 0;
493 		break;
494 	default:
495 		wpa_printf(MSG_DEBUG, "bss: %s: cannot compare IEs", __func__);
496 		return 0;
497 	}
498 
499 	if (is_multi) {
500 		/* in case of multiple IEs stored in buffer */
501 		old_ie = old_ie_buff ? wpabuf_head_u8(old_ie_buff) : NULL;
502 		new_ie = new_ie_buff ? wpabuf_head_u8(new_ie_buff) : NULL;
503 		old_ie_len = old_ie_buff ? wpabuf_len(old_ie_buff) : 0;
504 		new_ie_len = new_ie_buff ? wpabuf_len(new_ie_buff) : 0;
505 	} else {
506 		/* in case of single IE */
507 		old_ie_len = old_ie ? old_ie[1] + 2 : 0;
508 		new_ie_len = new_ie ? new_ie[1] + 2 : 0;
509 	}
510 
511 	if (!old_ie || !new_ie)
512 		ret = !old_ie && !new_ie;
513 	else
514 		ret = (old_ie_len == new_ie_len &&
515 		       os_memcmp(old_ie, new_ie, old_ie_len) == 0);
516 
517 	wpabuf_free(old_ie_buff);
518 	wpabuf_free(new_ie_buff);
519 
520 	return ret;
521 }
522 
523 
524 static u32 wpa_bss_compare_res(const struct wpa_bss *old,
525 			       const struct wpa_scan_res *new_res)
526 {
527 	u32 changes = 0;
528 	int caps_diff = old->caps ^ new_res->caps;
529 
530 	if (old->freq != new_res->freq)
531 		changes |= WPA_BSS_FREQ_CHANGED_FLAG;
532 
533 	if (old->level != new_res->level)
534 		changes |= WPA_BSS_SIGNAL_CHANGED_FLAG;
535 
536 	if (caps_diff & IEEE80211_CAP_PRIVACY)
537 		changes |= WPA_BSS_PRIVACY_CHANGED_FLAG;
538 
539 	if (caps_diff & IEEE80211_CAP_IBSS)
540 		changes |= WPA_BSS_MODE_CHANGED_FLAG;
541 
542 	if (old->ie_len == new_res->ie_len &&
543 	    os_memcmp(old + 1, new_res + 1, old->ie_len) == 0)
544 		return changes;
545 	changes |= WPA_BSS_IES_CHANGED_FLAG;
546 
547 	if (!are_ies_equal(old, new_res, WPA_IE_VENDOR_TYPE))
548 		changes |= WPA_BSS_WPAIE_CHANGED_FLAG;
549 
550 	if (!are_ies_equal(old, new_res, WLAN_EID_RSN))
551 		changes |= WPA_BSS_RSNIE_CHANGED_FLAG;
552 
553 	if (!are_ies_equal(old, new_res, WPS_IE_VENDOR_TYPE))
554 		changes |= WPA_BSS_WPS_CHANGED_FLAG;
555 
556 	if (!are_ies_equal(old, new_res, WLAN_EID_SUPP_RATES) ||
557 	    !are_ies_equal(old, new_res, WLAN_EID_EXT_SUPP_RATES))
558 		changes |= WPA_BSS_RATES_CHANGED_FLAG;
559 
560 	return changes;
561 }
562 
563 
564 static void notify_bss_changes(struct wpa_supplicant *wpa_s, u32 changes,
565 			       const struct wpa_bss *bss)
566 {
567 	if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
568 		wpas_notify_bss_freq_changed(wpa_s, bss->id);
569 
570 	if (changes & WPA_BSS_SIGNAL_CHANGED_FLAG)
571 		wpas_notify_bss_signal_changed(wpa_s, bss->id);
572 
573 	if (changes & WPA_BSS_PRIVACY_CHANGED_FLAG)
574 		wpas_notify_bss_privacy_changed(wpa_s, bss->id);
575 
576 	if (changes & WPA_BSS_MODE_CHANGED_FLAG)
577 		wpas_notify_bss_mode_changed(wpa_s, bss->id);
578 
579 	if (changes & WPA_BSS_WPAIE_CHANGED_FLAG)
580 		wpas_notify_bss_wpaie_changed(wpa_s, bss->id);
581 
582 	if (changes & WPA_BSS_RSNIE_CHANGED_FLAG)
583 		wpas_notify_bss_rsnie_changed(wpa_s, bss->id);
584 
585 	if (changes & WPA_BSS_WPS_CHANGED_FLAG)
586 		wpas_notify_bss_wps_changed(wpa_s, bss->id);
587 
588 	if (changes & WPA_BSS_IES_CHANGED_FLAG)
589 		wpas_notify_bss_ies_changed(wpa_s, bss->id);
590 
591 	if (changes & WPA_BSS_RATES_CHANGED_FLAG)
592 		wpas_notify_bss_rates_changed(wpa_s, bss->id);
593 
594 	wpas_notify_bss_seen(wpa_s, bss->id);
595 }
596 
597 
598 static struct wpa_bss *
599 wpa_bss_update(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
600 	       struct wpa_scan_res *res, struct os_reltime *fetch_time)
601 {
602 	u32 changes;
603 
604 	if (bss->last_update_idx == wpa_s->bss_update_idx) {
605 		struct os_reltime update_time;
606 
607 		/*
608 		 * Some drivers (e.g., cfg80211) include multiple BSS entries
609 		 * for the same BSS if that BSS's channel changes. The BSS list
610 		 * implementation in wpa_supplicant does not do that and we need
611 		 * to filter out the obsolete results here to make sure only the
612 		 * most current BSS information remains in the table.
613 		 */
614 		wpa_printf(MSG_DEBUG, "BSS: " MACSTR
615 			   " has multiple entries in the scan results - select the most current one",
616 			   MAC2STR(bss->bssid));
617 		calculate_update_time(fetch_time, res->age, &update_time);
618 		wpa_printf(MSG_DEBUG,
619 			   "Previous last_update: %u.%06u (freq %d%s)",
620 			   (unsigned int) bss->last_update.sec,
621 			   (unsigned int) bss->last_update.usec,
622 			   bss->freq,
623 			   (bss->flags & WPA_BSS_ASSOCIATED) ? " assoc" : "");
624 		wpa_printf(MSG_DEBUG, "New last_update: %u.%06u (freq %d%s)",
625 			   (unsigned int) update_time.sec,
626 			   (unsigned int) update_time.usec,
627 			   res->freq,
628 			   (res->flags & WPA_SCAN_ASSOCIATED) ? " assoc" : "");
629 		if ((bss->flags & WPA_BSS_ASSOCIATED) ||
630 		    (!(res->flags & WPA_SCAN_ASSOCIATED) &&
631 		     !os_reltime_before(&bss->last_update, &update_time))) {
632 			wpa_printf(MSG_DEBUG,
633 				   "Ignore this BSS entry since the previous update looks more current");
634 			return bss;
635 		}
636 		wpa_printf(MSG_DEBUG,
637 			   "Accept this BSS entry since it looks more current than the previous update");
638 	}
639 
640 	changes = wpa_bss_compare_res(bss, res);
641 	if (changes & WPA_BSS_FREQ_CHANGED_FLAG)
642 		wpa_printf(MSG_DEBUG, "BSS: " MACSTR " changed freq %d --> %d",
643 			   MAC2STR(bss->bssid), bss->freq, res->freq);
644 	bss->scan_miss_count = 0;
645 	bss->last_update_idx = wpa_s->bss_update_idx;
646 	wpa_bss_copy_res(bss, res, fetch_time);
647 	/* Move the entry to the end of the list */
648 	dl_list_del(&bss->list);
649 #ifdef CONFIG_P2P
650 	if (wpa_bss_get_vendor_ie(bss, P2P_IE_VENDOR_TYPE) &&
651 	    !wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE)) {
652 		/*
653 		 * This can happen when non-P2P station interface runs a scan
654 		 * without P2P IE in the Probe Request frame. P2P GO would reply
655 		 * to that with a Probe Response that does not include P2P IE.
656 		 * Do not update the IEs in this BSS entry to avoid such loss of
657 		 * information that may be needed for P2P operations to
658 		 * determine group information.
659 		 */
660 		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Do not update scan IEs for "
661 			MACSTR " since that would remove P2P IE information",
662 			MAC2STR(bss->bssid));
663 	} else
664 #endif /* CONFIG_P2P */
665 	if (bss->ie_len + bss->beacon_ie_len >=
666 	    res->ie_len + res->beacon_ie_len) {
667 		os_memcpy(bss + 1, res + 1, res->ie_len + res->beacon_ie_len);
668 		bss->ie_len = res->ie_len;
669 		bss->beacon_ie_len = res->beacon_ie_len;
670 	} else {
671 		struct wpa_bss *nbss;
672 		struct dl_list *prev = bss->list_id.prev;
673 		dl_list_del(&bss->list_id);
674 		nbss = os_realloc(bss, sizeof(*bss) + res->ie_len +
675 				  res->beacon_ie_len);
676 		if (nbss) {
677 			unsigned int i;
678 			for (i = 0; i < wpa_s->last_scan_res_used; i++) {
679 				if (wpa_s->last_scan_res[i] == bss) {
680 					wpa_s->last_scan_res[i] = nbss;
681 					break;
682 				}
683 			}
684 			if (wpa_s->current_bss == bss)
685 				wpa_s->current_bss = nbss;
686 			wpa_bss_update_pending_connect(wpa_s, bss, nbss);
687 			bss = nbss;
688 			os_memcpy(bss + 1, res + 1,
689 				  res->ie_len + res->beacon_ie_len);
690 			bss->ie_len = res->ie_len;
691 			bss->beacon_ie_len = res->beacon_ie_len;
692 		}
693 		dl_list_add(prev, &bss->list_id);
694 	}
695 	if (changes & WPA_BSS_IES_CHANGED_FLAG)
696 		wpa_bss_set_hessid(bss);
697 	dl_list_add_tail(&wpa_s->bss, &bss->list);
698 
699 	notify_bss_changes(wpa_s, changes, bss);
700 
701 	return bss;
702 }
703 
704 
705 /**
706  * wpa_bss_update_start - Start a BSS table update from scan results
707  * @wpa_s: Pointer to wpa_supplicant data
708  *
709  * This function is called at the start of each BSS table update round for new
710  * scan results. The actual scan result entries are indicated with calls to
711  * wpa_bss_update_scan_res() and the update round is finished with a call to
712  * wpa_bss_update_end().
713  */
714 void wpa_bss_update_start(struct wpa_supplicant *wpa_s)
715 {
716 	wpa_s->bss_update_idx++;
717 	wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Start scan result update %u",
718 		wpa_s->bss_update_idx);
719 	wpa_s->last_scan_res_used = 0;
720 }
721 
722 
723 /**
724  * wpa_bss_update_scan_res - Update a BSS table entry based on a scan result
725  * @wpa_s: Pointer to wpa_supplicant data
726  * @res: Scan result
727  * @fetch_time: Time when the result was fetched from the driver
728  *
729  * This function updates a BSS table entry (or adds one) based on a scan result.
730  * This is called separately for each scan result between the calls to
731  * wpa_bss_update_start() and wpa_bss_update_end().
732  */
733 void wpa_bss_update_scan_res(struct wpa_supplicant *wpa_s,
734 			     struct wpa_scan_res *res,
735 			     struct os_reltime *fetch_time)
736 {
737 	const u8 *ssid, *p2p, *mesh;
738 	struct wpa_bss *bss;
739 
740 	if (wpa_s->conf->ignore_old_scan_res) {
741 		struct os_reltime update;
742 		calculate_update_time(fetch_time, res->age, &update);
743 		if (os_reltime_before(&update, &wpa_s->scan_trigger_time)) {
744 			struct os_reltime age;
745 			os_reltime_sub(&wpa_s->scan_trigger_time, &update,
746 				       &age);
747 			wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Ignore driver BSS "
748 				"table entry that is %u.%06u seconds older "
749 				"than our scan trigger",
750 				(unsigned int) age.sec,
751 				(unsigned int) age.usec);
752 			return;
753 		}
754 	}
755 
756 	ssid = wpa_scan_get_ie(res, WLAN_EID_SSID);
757 	if (ssid == NULL) {
758 		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: No SSID IE included for "
759 			MACSTR, MAC2STR(res->bssid));
760 		return;
761 	}
762 	if (ssid[1] > SSID_MAX_LEN) {
763 		wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Too long SSID IE included for "
764 			MACSTR, MAC2STR(res->bssid));
765 		return;
766 	}
767 
768 	p2p = wpa_scan_get_vendor_ie(res, P2P_IE_VENDOR_TYPE);
769 #ifdef CONFIG_P2P
770 	if (p2p == NULL &&
771 	    wpa_s->p2p_group_interface != NOT_P2P_GROUP_INTERFACE) {
772 		/*
773 		 * If it's a P2P specific interface, then don't update
774 		 * the scan result without a P2P IE.
775 		 */
776 		wpa_printf(MSG_DEBUG, "BSS: No P2P IE - skipping BSS " MACSTR
777 			   " update for P2P interface", MAC2STR(res->bssid));
778 		return;
779 	}
780 #endif /* CONFIG_P2P */
781 	if (p2p && ssid[1] == P2P_WILDCARD_SSID_LEN &&
782 	    os_memcmp(ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN) == 0)
783 		return; /* Skip P2P listen discovery results here */
784 
785 	/* TODO: add option for ignoring BSSes we are not interested in
786 	 * (to save memory) */
787 
788 	mesh = wpa_scan_get_ie(res, WLAN_EID_MESH_ID);
789 	if (mesh && mesh[1] <= SSID_MAX_LEN)
790 		ssid = mesh;
791 
792 	bss = wpa_bss_get(wpa_s, res->bssid, ssid + 2, ssid[1]);
793 	if (bss == NULL)
794 		bss = wpa_bss_add(wpa_s, ssid + 2, ssid[1], res, fetch_time);
795 	else {
796 		bss = wpa_bss_update(wpa_s, bss, res, fetch_time);
797 		if (wpa_s->last_scan_res) {
798 			unsigned int i;
799 			for (i = 0; i < wpa_s->last_scan_res_used; i++) {
800 				if (bss == wpa_s->last_scan_res[i]) {
801 					/* Already in the list */
802 					return;
803 				}
804 			}
805 		}
806 	}
807 
808 	if (bss == NULL)
809 		return;
810 	if (wpa_s->last_scan_res_used >= wpa_s->last_scan_res_size) {
811 		struct wpa_bss **n;
812 		unsigned int siz;
813 		if (wpa_s->last_scan_res_size == 0)
814 			siz = 32;
815 		else
816 			siz = wpa_s->last_scan_res_size * 2;
817 		n = os_realloc_array(wpa_s->last_scan_res, siz,
818 				     sizeof(struct wpa_bss *));
819 		if (n == NULL)
820 			return;
821 		wpa_s->last_scan_res = n;
822 		wpa_s->last_scan_res_size = siz;
823 	}
824 
825 	if (wpa_s->last_scan_res)
826 		wpa_s->last_scan_res[wpa_s->last_scan_res_used++] = bss;
827 }
828 
829 
830 static int wpa_bss_included_in_scan(const struct wpa_bss *bss,
831 				    const struct scan_info *info)
832 {
833 	int found;
834 	size_t i;
835 
836 	if (info == NULL)
837 		return 1;
838 
839 	if (info->num_freqs) {
840 		found = 0;
841 		for (i = 0; i < info->num_freqs; i++) {
842 			if (bss->freq == info->freqs[i]) {
843 				found = 1;
844 				break;
845 			}
846 		}
847 		if (!found)
848 			return 0;
849 	}
850 
851 	if (info->num_ssids) {
852 		found = 0;
853 		for (i = 0; i < info->num_ssids; i++) {
854 			const struct wpa_driver_scan_ssid *s = &info->ssids[i];
855 			if ((s->ssid == NULL || s->ssid_len == 0) ||
856 			    (s->ssid_len == bss->ssid_len &&
857 			     os_memcmp(s->ssid, bss->ssid, bss->ssid_len) ==
858 			     0)) {
859 				found = 1;
860 				break;
861 			}
862 		}
863 		if (!found)
864 			return 0;
865 	}
866 
867 	return 1;
868 }
869 
870 
871 /**
872  * wpa_bss_update_end - End a BSS table update from scan results
873  * @wpa_s: Pointer to wpa_supplicant data
874  * @info: Information about scan parameters
875  * @new_scan: Whether this update round was based on a new scan
876  *
877  * This function is called at the end of each BSS table update round for new
878  * scan results. The start of the update was indicated with a call to
879  * wpa_bss_update_start().
880  */
881 void wpa_bss_update_end(struct wpa_supplicant *wpa_s, struct scan_info *info,
882 			int new_scan)
883 {
884 	struct wpa_bss *bss, *n;
885 
886 	os_get_reltime(&wpa_s->last_scan);
887 	if ((info && info->aborted) || !new_scan)
888 		return; /* do not expire entries without new scan */
889 
890 	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
891 		if (wpa_bss_in_use(wpa_s, bss))
892 			continue;
893 		if (!wpa_bss_included_in_scan(bss, info))
894 			continue; /* expire only BSSes that were scanned */
895 		if (bss->last_update_idx < wpa_s->bss_update_idx)
896 			bss->scan_miss_count++;
897 		if (bss->scan_miss_count >=
898 		    wpa_s->conf->bss_expiration_scan_count) {
899 			wpa_bss_remove(wpa_s, bss, "no match in scan");
900 		}
901 	}
902 
903 	wpa_printf(MSG_DEBUG, "BSS: last_scan_res_used=%u/%u",
904 		   wpa_s->last_scan_res_used, wpa_s->last_scan_res_size);
905 }
906 
907 
908 /**
909  * wpa_bss_flush_by_age - Flush old BSS entries
910  * @wpa_s: Pointer to wpa_supplicant data
911  * @age: Maximum entry age in seconds
912  *
913  * Remove BSS entries that have not been updated during the last @age seconds.
914  */
915 void wpa_bss_flush_by_age(struct wpa_supplicant *wpa_s, int age)
916 {
917 	struct wpa_bss *bss, *n;
918 	struct os_reltime t;
919 
920 	if (dl_list_empty(&wpa_s->bss))
921 		return;
922 
923 	os_get_reltime(&t);
924 	t.sec -= age;
925 
926 	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
927 		if (wpa_bss_in_use(wpa_s, bss))
928 			continue;
929 
930 		if (os_reltime_before(&bss->last_update, &t)) {
931 			wpa_bss_remove(wpa_s, bss, __func__);
932 		} else
933 			break;
934 	}
935 }
936 
937 
938 /**
939  * wpa_bss_init - Initialize BSS table
940  * @wpa_s: Pointer to wpa_supplicant data
941  * Returns: 0 on success, -1 on failure
942  *
943  * This prepares BSS table lists and timer for periodic updates. The BSS table
944  * is deinitialized with wpa_bss_deinit() once not needed anymore.
945  */
946 int wpa_bss_init(struct wpa_supplicant *wpa_s)
947 {
948 	dl_list_init(&wpa_s->bss);
949 	dl_list_init(&wpa_s->bss_id);
950 	return 0;
951 }
952 
953 
954 /**
955  * wpa_bss_flush - Flush all unused BSS entries
956  * @wpa_s: Pointer to wpa_supplicant data
957  */
958 void wpa_bss_flush(struct wpa_supplicant *wpa_s)
959 {
960 	struct wpa_bss *bss, *n;
961 
962 	wpa_s->clear_driver_scan_cache = 1;
963 
964 	if (wpa_s->bss.next == NULL)
965 		return; /* BSS table not yet initialized */
966 
967 	dl_list_for_each_safe(bss, n, &wpa_s->bss, struct wpa_bss, list) {
968 		if (wpa_bss_in_use(wpa_s, bss))
969 			continue;
970 		wpa_bss_remove(wpa_s, bss, __func__);
971 	}
972 }
973 
974 
975 /**
976  * wpa_bss_deinit - Deinitialize BSS table
977  * @wpa_s: Pointer to wpa_supplicant data
978  */
979 void wpa_bss_deinit(struct wpa_supplicant *wpa_s)
980 {
981 	wpa_bss_flush(wpa_s);
982 }
983 
984 
985 /**
986  * wpa_bss_get_bssid - Fetch a BSS table entry based on BSSID
987  * @wpa_s: Pointer to wpa_supplicant data
988  * @bssid: BSSID
989  * Returns: Pointer to the BSS entry or %NULL if not found
990  */
991 struct wpa_bss * wpa_bss_get_bssid(struct wpa_supplicant *wpa_s,
992 				   const u8 *bssid)
993 {
994 	struct wpa_bss *bss;
995 	if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
996 		return NULL;
997 	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
998 		if (os_memcmp(bss->bssid, bssid, ETH_ALEN) == 0)
999 			return bss;
1000 	}
1001 	return NULL;
1002 }
1003 
1004 
1005 /**
1006  * wpa_bss_get_bssid_latest - Fetch the latest BSS table entry based on BSSID
1007  * @wpa_s: Pointer to wpa_supplicant data
1008  * @bssid: BSSID
1009  * Returns: Pointer to the BSS entry or %NULL if not found
1010  *
1011  * This function is like wpa_bss_get_bssid(), but full BSS table is iterated to
1012  * find the entry that has the most recent update. This can help in finding the
1013  * correct entry in cases where the SSID of the AP may have changed recently
1014  * (e.g., in WPS reconfiguration cases).
1015  */
1016 struct wpa_bss * wpa_bss_get_bssid_latest(struct wpa_supplicant *wpa_s,
1017 					  const u8 *bssid)
1018 {
1019 	struct wpa_bss *bss, *found = NULL;
1020 	if (!wpa_supplicant_filter_bssid_match(wpa_s, bssid))
1021 		return NULL;
1022 	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1023 		if (os_memcmp(bss->bssid, bssid, ETH_ALEN) != 0)
1024 			continue;
1025 		if (found == NULL ||
1026 		    os_reltime_before(&found->last_update, &bss->last_update))
1027 			found = bss;
1028 	}
1029 	return found;
1030 }
1031 
1032 
1033 #ifdef CONFIG_P2P
1034 /**
1035  * wpa_bss_get_p2p_dev_addr - Fetch a BSS table entry based on P2P Device Addr
1036  * @wpa_s: Pointer to wpa_supplicant data
1037  * @dev_addr: P2P Device Address of the GO
1038  * Returns: Pointer to the BSS entry or %NULL if not found
1039  */
1040 struct wpa_bss * wpa_bss_get_p2p_dev_addr(struct wpa_supplicant *wpa_s,
1041 					  const u8 *dev_addr)
1042 {
1043 	struct wpa_bss *bss;
1044 	dl_list_for_each_reverse(bss, &wpa_s->bss, struct wpa_bss, list) {
1045 		u8 addr[ETH_ALEN];
1046 		if (p2p_parse_dev_addr((const u8 *) (bss + 1), bss->ie_len,
1047 				       addr) == 0 &&
1048 		    os_memcmp(addr, dev_addr, ETH_ALEN) == 0)
1049 			return bss;
1050 	}
1051 	return NULL;
1052 }
1053 #endif /* CONFIG_P2P */
1054 
1055 
1056 /**
1057  * wpa_bss_get_id - Fetch a BSS table entry based on identifier
1058  * @wpa_s: Pointer to wpa_supplicant data
1059  * @id: Unique identifier (struct wpa_bss::id) assigned for the entry
1060  * Returns: Pointer to the BSS entry or %NULL if not found
1061  */
1062 struct wpa_bss * wpa_bss_get_id(struct wpa_supplicant *wpa_s, unsigned int id)
1063 {
1064 	struct wpa_bss *bss;
1065 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
1066 		if (bss->id == id)
1067 			return bss;
1068 	}
1069 	return NULL;
1070 }
1071 
1072 
1073 /**
1074  * wpa_bss_get_id_range - Fetch a BSS table entry based on identifier range
1075  * @wpa_s: Pointer to wpa_supplicant data
1076  * @idf: Smallest allowed identifier assigned for the entry
1077  * @idf: Largest allowed identifier assigned for the entry
1078  * Returns: Pointer to the BSS entry or %NULL if not found
1079  *
1080  * This function is similar to wpa_bss_get_id() but allows a BSS entry with the
1081  * smallest id value to be fetched within the specified range without the
1082  * caller having to know the exact id.
1083  */
1084 struct wpa_bss * wpa_bss_get_id_range(struct wpa_supplicant *wpa_s,
1085 				      unsigned int idf, unsigned int idl)
1086 {
1087 	struct wpa_bss *bss;
1088 	dl_list_for_each(bss, &wpa_s->bss_id, struct wpa_bss, list_id) {
1089 		if (bss->id >= idf && bss->id <= idl)
1090 			return bss;
1091 	}
1092 	return NULL;
1093 }
1094 
1095 
1096 /**
1097  * wpa_bss_get_ie - Fetch a specified information element from a BSS entry
1098  * @bss: BSS table entry
1099  * @ie: Information element identitifier (WLAN_EID_*)
1100  * Returns: Pointer to the information element (id field) or %NULL if not found
1101  *
1102  * This function returns the first matching information element in the BSS
1103  * entry.
1104  */
1105 const u8 * wpa_bss_get_ie(const struct wpa_bss *bss, u8 ie)
1106 {
1107 	return get_ie((const u8 *) (bss + 1), bss->ie_len, ie);
1108 }
1109 
1110 
1111 /**
1112  * wpa_bss_get_vendor_ie - Fetch a vendor information element from a BSS entry
1113  * @bss: BSS table entry
1114  * @vendor_type: Vendor type (four octets starting the IE payload)
1115  * Returns: Pointer to the information element (id field) or %NULL if not found
1116  *
1117  * This function returns the first matching information element in the BSS
1118  * entry.
1119  */
1120 const u8 * wpa_bss_get_vendor_ie(const struct wpa_bss *bss, u32 vendor_type)
1121 {
1122 	const u8 *end, *pos;
1123 
1124 	pos = (const u8 *) (bss + 1);
1125 	end = pos + bss->ie_len;
1126 
1127 	while (end - pos > 1) {
1128 		if (2 + pos[1] > end - pos)
1129 			break;
1130 		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
1131 		    vendor_type == WPA_GET_BE32(&pos[2]))
1132 			return pos;
1133 		pos += 2 + pos[1];
1134 	}
1135 
1136 	return NULL;
1137 }
1138 
1139 
1140 /**
1141  * wpa_bss_get_vendor_ie_beacon - Fetch a vendor information from a BSS entry
1142  * @bss: BSS table entry
1143  * @vendor_type: Vendor type (four octets starting the IE payload)
1144  * Returns: Pointer to the information element (id field) or %NULL if not found
1145  *
1146  * This function returns the first matching information element in the BSS
1147  * entry.
1148  *
1149  * This function is like wpa_bss_get_vendor_ie(), but uses IE buffer only
1150  * from Beacon frames instead of either Beacon or Probe Response frames.
1151  */
1152 const u8 * wpa_bss_get_vendor_ie_beacon(const struct wpa_bss *bss,
1153 					u32 vendor_type)
1154 {
1155 	const u8 *end, *pos;
1156 
1157 	if (bss->beacon_ie_len == 0)
1158 		return NULL;
1159 
1160 	pos = (const u8 *) (bss + 1);
1161 	pos += bss->ie_len;
1162 	end = pos + bss->beacon_ie_len;
1163 
1164 	while (end - pos > 1) {
1165 		if (2 + pos[1] > end - pos)
1166 			break;
1167 		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
1168 		    vendor_type == WPA_GET_BE32(&pos[2]))
1169 			return pos;
1170 		pos += 2 + pos[1];
1171 	}
1172 
1173 	return NULL;
1174 }
1175 
1176 
1177 /**
1178  * wpa_bss_get_vendor_ie_multi - Fetch vendor IE data from a BSS entry
1179  * @bss: BSS table entry
1180  * @vendor_type: Vendor type (four octets starting the IE payload)
1181  * Returns: Pointer to the information element payload or %NULL if not found
1182  *
1183  * This function returns concatenated payload of possibly fragmented vendor
1184  * specific information elements in the BSS entry. The caller is responsible for
1185  * freeing the returned buffer.
1186  */
1187 struct wpabuf * wpa_bss_get_vendor_ie_multi(const struct wpa_bss *bss,
1188 					    u32 vendor_type)
1189 {
1190 	struct wpabuf *buf;
1191 	const u8 *end, *pos;
1192 
1193 	buf = wpabuf_alloc(bss->ie_len);
1194 	if (buf == NULL)
1195 		return NULL;
1196 
1197 	pos = (const u8 *) (bss + 1);
1198 	end = pos + bss->ie_len;
1199 
1200 	while (end - pos > 1) {
1201 		if (2 + pos[1] > end - pos)
1202 			break;
1203 		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
1204 		    vendor_type == WPA_GET_BE32(&pos[2]))
1205 			wpabuf_put_data(buf, pos + 2 + 4, pos[1] - 4);
1206 		pos += 2 + pos[1];
1207 	}
1208 
1209 	if (wpabuf_len(buf) == 0) {
1210 		wpabuf_free(buf);
1211 		buf = NULL;
1212 	}
1213 
1214 	return buf;
1215 }
1216 
1217 
1218 /**
1219  * wpa_bss_get_vendor_ie_multi_beacon - Fetch vendor IE data from a BSS entry
1220  * @bss: BSS table entry
1221  * @vendor_type: Vendor type (four octets starting the IE payload)
1222  * Returns: Pointer to the information element payload or %NULL if not found
1223  *
1224  * This function returns concatenated payload of possibly fragmented vendor
1225  * specific information elements in the BSS entry. The caller is responsible for
1226  * freeing the returned buffer.
1227  *
1228  * This function is like wpa_bss_get_vendor_ie_multi(), but uses IE buffer only
1229  * from Beacon frames instead of either Beacon or Probe Response frames.
1230  */
1231 struct wpabuf * wpa_bss_get_vendor_ie_multi_beacon(const struct wpa_bss *bss,
1232 						   u32 vendor_type)
1233 {
1234 	struct wpabuf *buf;
1235 	const u8 *end, *pos;
1236 
1237 	buf = wpabuf_alloc(bss->beacon_ie_len);
1238 	if (buf == NULL)
1239 		return NULL;
1240 
1241 	pos = (const u8 *) (bss + 1);
1242 	pos += bss->ie_len;
1243 	end = pos + bss->beacon_ie_len;
1244 
1245 	while (end - pos > 1) {
1246 		if (2 + pos[1] > end - pos)
1247 			break;
1248 		if (pos[0] == WLAN_EID_VENDOR_SPECIFIC && pos[1] >= 4 &&
1249 		    vendor_type == WPA_GET_BE32(&pos[2]))
1250 			wpabuf_put_data(buf, pos + 2 + 4, pos[1] - 4);
1251 		pos += 2 + pos[1];
1252 	}
1253 
1254 	if (wpabuf_len(buf) == 0) {
1255 		wpabuf_free(buf);
1256 		buf = NULL;
1257 	}
1258 
1259 	return buf;
1260 }
1261 
1262 
1263 /**
1264  * wpa_bss_get_max_rate - Get maximum legacy TX rate supported in a BSS
1265  * @bss: BSS table entry
1266  * Returns: Maximum legacy rate in units of 500 kbps
1267  */
1268 int wpa_bss_get_max_rate(const struct wpa_bss *bss)
1269 {
1270 	int rate = 0;
1271 	const u8 *ie;
1272 	int i;
1273 
1274 	ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1275 	for (i = 0; ie && i < ie[1]; i++) {
1276 		if ((ie[i + 2] & 0x7f) > rate)
1277 			rate = ie[i + 2] & 0x7f;
1278 	}
1279 
1280 	ie = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1281 	for (i = 0; ie && i < ie[1]; i++) {
1282 		if ((ie[i + 2] & 0x7f) > rate)
1283 			rate = ie[i + 2] & 0x7f;
1284 	}
1285 
1286 	return rate;
1287 }
1288 
1289 
1290 /**
1291  * wpa_bss_get_bit_rates - Get legacy TX rates supported in a BSS
1292  * @bss: BSS table entry
1293  * @rates: Buffer for returning a pointer to the rates list (units of 500 kbps)
1294  * Returns: number of legacy TX rates or -1 on failure
1295  *
1296  * The caller is responsible for freeing the returned buffer with os_free() in
1297  * case of success.
1298  */
1299 int wpa_bss_get_bit_rates(const struct wpa_bss *bss, u8 **rates)
1300 {
1301 	const u8 *ie, *ie2;
1302 	int i, j;
1303 	unsigned int len;
1304 	u8 *r;
1305 
1306 	ie = wpa_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
1307 	ie2 = wpa_bss_get_ie(bss, WLAN_EID_EXT_SUPP_RATES);
1308 
1309 	len = (ie ? ie[1] : 0) + (ie2 ? ie2[1] : 0);
1310 
1311 	r = os_malloc(len);
1312 	if (!r)
1313 		return -1;
1314 
1315 	for (i = 0; ie && i < ie[1]; i++)
1316 		r[i] = ie[i + 2] & 0x7f;
1317 
1318 	for (j = 0; ie2 && j < ie2[1]; j++)
1319 		r[i + j] = ie2[j + 2] & 0x7f;
1320 
1321 	*rates = r;
1322 	return len;
1323 }
1324 
1325 
1326 #ifdef CONFIG_FILS
1327 const u8 * wpa_bss_get_fils_cache_id(struct wpa_bss *bss)
1328 {
1329 	const u8 *ie;
1330 
1331 	if (bss) {
1332 		ie = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
1333 		if (ie && ie[1] >= 4 && WPA_GET_LE16(ie + 2) & BIT(7))
1334 			return ie + 4;
1335 	}
1336 
1337 	return NULL;
1338 }
1339 #endif /* CONFIG_FILS */
1340