1 /*
2  * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.
3  * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.
4  *
5  * Permission to use, copy, modify, and/or distribute this software for
6  * any purpose with or without fee is hereby granted, provided that the
7  * above copyright notice and this permission notice appear in all
8  * copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
11  * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
12  * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
13  * AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
14  * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
15  * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
16  * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17  * PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 /*
21  * This file lim_process_probe_req_frame.cc contains the code
22  * for processing Probe Request Frame.
23  * Author:        Chandra Modumudi
24  * Date:          02/28/02
25  * History:-
26  * Date           Modified by    Modification Information
27  * --------------------------------------------------------------------
28  *
29  */
30 
31 #include "wni_cfg.h"
32 #include "ani_global.h"
33 
34 #include "utils_api.h"
35 #include "lim_types.h"
36 #include "lim_utils.h"
37 #include "lim_assoc_utils.h"
38 #include "lim_ser_des_utils.h"
39 #include "parser_api.h"
40 #include "lim_ft_defs.h"
41 #include "lim_session.h"
42 #include "wlan_utility.h"
43 
44 void
45 
46 lim_send_sme_probe_req_ind(struct mac_context *mac,
47 			   tSirMacAddr peerMacAddr,
48 			   uint8_t *pProbeReqIE,
49 			   uint32_t ProbeReqIELen, struct pe_session *pe_session);
50 
51 /**
52  * lim_remove_timeout_pbc_sessions() - remove pbc probe req entries.
53  * @mac - Pointer to Global MAC structure
54  * @pbc - The beginning entry in WPS PBC probe request link list
55  *
56  * This function is called to remove the WPS PBC probe request entries from
57  * specific entry to end.
58  *
59  * Return - None
60  */
lim_remove_timeout_pbc_sessions(struct mac_context * mac,tSirWPSPBCSession * pbc)61 static void lim_remove_timeout_pbc_sessions(struct mac_context *mac,
62 					    tSirWPSPBCSession *pbc)
63 {
64 	tSirWPSPBCSession *prev;
65 
66 	while (pbc) {
67 		prev = pbc;
68 		pbc = pbc->next;
69 		pe_debug("WPS PBC sessions remove");
70 		QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG,
71 			   prev->addr.bytes, QDF_MAC_ADDR_SIZE);
72 		QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG,
73 			   prev->uuid_e, SIR_WPS_UUID_LEN);
74 
75 		qdf_mem_free(prev);
76 	}
77 }
78 
79 /**
80  * lim_update_pbc_session_entry
81  *
82  ***FUNCTION:
83  * This function is called when probe request with WPS PBC IE is received
84  *
85  ***LOGIC:
86  * This function add the WPS PBC probe request in the WPS PBC probe request link list
87  * The link list is in decreased time order of probe request that is received.
88  * The entry that is more than 120 second is removed.
89  *
90  ***ASSUMPTIONS:
91  *
92  *
93  ***NOTE:
94  *
95  * @param  mac   Pointer to Global MAC structure
96  * @param  addr   A pointer to probe request source MAC address
97  * @param  uuid_e A pointer to UUIDE element of WPS IE
98  * @param  pe_session   A pointer to station PE session
99  *
100  * @return None
101  */
102 
lim_update_pbc_session_entry(struct mac_context * mac,uint8_t * addr,uint8_t * uuid_e,struct pe_session * pe_session)103 static void lim_update_pbc_session_entry(struct mac_context *mac,
104 					 uint8_t *addr, uint8_t *uuid_e,
105 					 struct pe_session *pe_session)
106 {
107 	tSirWPSPBCSession *pbc, *prev = NULL;
108 
109 	uint32_t curTime;
110 
111 	curTime =
112 		(uint32_t) (qdf_mc_timer_get_system_ticks() /
113 			    QDF_TICKS_PER_SECOND);
114 
115 	pe_debug("Receive WPS probe request curTime: %d", curTime);
116 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG,
117 			   addr, QDF_MAC_ADDR_SIZE);
118 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG,
119 			   uuid_e, SIR_WPS_UUID_LEN);
120 
121 	pbc = pe_session->pAPWPSPBCSession;
122 
123 	while (pbc) {
124 		if ((!qdf_mem_cmp
125 			    ((uint8_t *) pbc->addr.bytes, (uint8_t *) addr,
126 			    QDF_MAC_ADDR_SIZE))
127 		    && (!qdf_mem_cmp((uint8_t *) pbc->uuid_e,
128 				       (uint8_t *) uuid_e, SIR_WPS_UUID_LEN))) {
129 			if (prev)
130 				prev->next = pbc->next;
131 			else
132 				pe_session->pAPWPSPBCSession = pbc->next;
133 			break;
134 		}
135 		prev = pbc;
136 		pbc = pbc->next;
137 	}
138 
139 	if (!pbc) {
140 		pbc = qdf_mem_malloc(sizeof(tSirWPSPBCSession));
141 		if (!pbc)
142 			return;
143 		qdf_mem_copy((uint8_t *) pbc->addr.bytes, (uint8_t *) addr,
144 			     QDF_MAC_ADDR_SIZE);
145 
146 		if (uuid_e)
147 			qdf_mem_copy((uint8_t *) pbc->uuid_e,
148 				     (uint8_t *) uuid_e, SIR_WPS_UUID_LEN);
149 	}
150 
151 	pbc->next = pe_session->pAPWPSPBCSession;
152 	pe_session->pAPWPSPBCSession = pbc;
153 	pbc->timestamp = curTime;
154 
155 	/* remove entries that have timed out */
156 	prev = pbc;
157 	pbc = pbc->next;
158 
159 	while (pbc) {
160 		if (curTime > pbc->timestamp + SIR_WPS_PBC_WALK_TIME) {
161 			prev->next = NULL;
162 			lim_remove_timeout_pbc_sessions(mac, pbc);
163 			break;
164 		}
165 		prev = pbc;
166 		pbc = pbc->next;
167 	}
168 }
169 
170 /**
171  * lim_wpspbc_close
172  *
173  ***FUNCTION:
174  * This function is called when BSS is closed
175  *
176  ***LOGIC:
177  * This function remove all the WPS PBC entries
178  *
179  ***ASSUMPTIONS:
180  *
181  *
182  ***NOTE:
183  *
184  * @param  mac   Pointer to Global MAC structure
185  * @param  pe_session   A pointer to station PE session
186  *
187  * @return None
188  */
189 
lim_wpspbc_close(struct mac_context * mac,struct pe_session * pe_session)190 void lim_wpspbc_close(struct mac_context *mac, struct pe_session *pe_session)
191 {
192 
193 	lim_remove_timeout_pbc_sessions(mac, pe_session->pAPWPSPBCSession);
194 
195 }
196 
197 /**
198  * lim_check11b_rates
199  *
200  ***FUNCTION:
201  * This function is called by lim_process_probe_req_frame() upon
202  * Probe Request frame reception.
203  *
204  ***LOGIC:
205  * This function check 11b rates in supportedRates and extendedRates rates
206  *
207  ***NOTE:
208  *
209  * @param  rate
210  *
211  * @return BOOLEAN
212  */
213 
lim_check11b_rates(uint8_t rate)214 static bool lim_check11b_rates(uint8_t rate)
215 {
216 	if ((0x02 == (rate))
217 	    || (0x04 == (rate))
218 	    || (0x0b == (rate))
219 	    || (0x16 == (rate))
220 	    ) {
221 		return true;
222 	}
223 	return false;
224 }
225 
226 #ifdef CONFIG_BAND_6GHZ
227 /**
228  * lim_need_broadcast_probe_rsp: check whether need broadcast probe rsp
229  * @session: a pointer to session entry
230  * @probe_req_da: probe request dst addr
231  *
232  * Return: bool
233  */
lim_need_broadcast_probe_rsp(struct pe_session * session,tSirMacAddr probe_req_da)234 static bool lim_need_broadcast_probe_rsp(struct pe_session *session,
235 					 tSirMacAddr probe_req_da)
236 {
237 	if (WLAN_REG_IS_6GHZ_CHAN_FREQ(session->curr_op_freq) &&
238 	    QDF_IS_ADDR_BROADCAST(probe_req_da))
239 		return true;
240 	else
241 		return false;
242 }
243 #else
lim_need_broadcast_probe_rsp(struct pe_session * session,tSirMacAddr probe_req_da)244 static bool lim_need_broadcast_probe_rsp(struct pe_session *session,
245 					 tSirMacAddr probe_req_da)
246 {
247 	return false;
248 }
249 #endif
250 
251 /**
252  * lim_process_probe_req_frame: to process probe req frame
253  * @mac_ctx: Pointer to Global MAC structure
254  * @rx_pkt_info: A pointer to Buffer descriptor + associated PDUs
255  * @session: a pointer to session entry
256  *
257  * This function is called by limProcessMessageQueue() upon
258  * Probe Request frame reception. This function processes received
259  * Probe Request frame and responds with Probe Response.
260  * Only AP or STA in IBSS mode that sent last Beacon will respond to
261  * Probe Request.
262  * ASSUMPTIONS:
263  * 1. AP or STA in IBSS mode that sent last Beacon will always respond
264  *    to Probe Request received with broadcast SSID.
265  * NOTE:
266  * 1. Dunno what to do with Rates received in Probe Request frame
267  * 2. Frames with out-of-order fields/IEs are dropped.
268  *
269  *
270  * Return: none
271  */
272 
273 void
lim_process_probe_req_frame(struct mac_context * mac_ctx,uint8_t * rx_pkt_info,struct pe_session * session)274 lim_process_probe_req_frame(struct mac_context *mac_ctx, uint8_t *rx_pkt_info,
275 		struct pe_session *session)
276 {
277 	uint8_t *body_ptr;
278 	tpSirMacMgmtHdr mac_hdr;
279 	uint32_t frame_len;
280 	tpSirProbeReq probe_req = NULL;
281 	tAniSSID ssid;
282 	uint8_t *uuid;
283 	tSirMacAddr dst_mac;
284 
285 	mac_hdr = WMA_GET_RX_MAC_HEADER(rx_pkt_info);
286 	if (LIM_IS_AP_ROLE(session) &&
287 	    session->curr_op_freq == WMA_GET_RX_FREQ(rx_pkt_info)) {
288 		frame_len = WMA_GET_RX_PAYLOAD_LEN(rx_pkt_info);
289 
290 		pe_debug("Received Probe Request: %d bytes from "QDF_MAC_ADDR_FMT,
291 			 frame_len, QDF_MAC_ADDR_REF(mac_hdr->sa));
292 		/* Get pointer to Probe Request frame body */
293 		body_ptr = WMA_GET_RX_MPDU_DATA(rx_pkt_info);
294 
295 		/* check for vendor IE presence */
296 		if ((session->access_policy_vendor_ie) &&
297 			(session->access_policy ==
298 			LIM_ACCESS_POLICY_RESPOND_IF_IE_IS_PRESENT)) {
299 			if (!wlan_get_vendor_ie_ptr_from_oui(
300 				&session->access_policy_vendor_ie[2],
301 				3, body_ptr, frame_len)) {
302 				pe_warn("Vendor IE is not present and access policy is: %x dropping probe request",
303 					session->access_policy);
304 				return;
305 			}
306 		}
307 
308 		probe_req = qdf_mem_malloc(sizeof(tSirProbeReq));
309 		if (!probe_req)
310 			return;
311 
312 		/* Parse Probe Request frame */
313 		if (sir_convert_probe_req_frame2_struct(mac_ctx, body_ptr,
314 				frame_len, probe_req) == QDF_STATUS_E_FAILURE) {
315 			pe_err("Parse error ProbeReq, length: %d, SA is: "
316 					QDF_MAC_ADDR_FMT, frame_len,
317 					QDF_MAC_ADDR_REF(mac_hdr->sa));
318 			goto free_and_exit;
319 		}
320 		if (session->opmode == QDF_P2P_GO_MODE) {
321 			uint8_t i = 0, rate_11b = 0, other_rates = 0;
322 			/* Check 11b rates in supported rates */
323 			for (i = 0; i < probe_req->supportedRates.numRates;
324 				i++) {
325 				if (lim_check11b_rates(
326 					probe_req->supportedRates.rate[i] &
327 								0x7f))
328 					rate_11b++;
329 				else
330 					other_rates++;
331 			}
332 
333 			/* Check 11b rates in extended rates */
334 			for (i = 0; i < probe_req->extendedRates.numRates;
335 			     i++) {
336 				if (lim_check11b_rates(
337 					probe_req->extendedRates.rate[i] &
338 					0x7f))
339 					rate_11b++;
340 				else
341 					other_rates++;
342 			}
343 
344 			if ((rate_11b > 0) && (other_rates == 0)) {
345 				pe_debug("Received a probe req frame with only 11b rates, SA: "QDF_MAC_ADDR_FMT,
346 					 QDF_MAC_ADDR_REF(mac_hdr->sa));
347 					goto free_and_exit;
348 			}
349 		}
350 		if (LIM_IS_AP_ROLE(session) &&
351 			((session->APWPSIEs.SirWPSProbeRspIE.FieldPresent
352 				& SIR_WPS_PROBRSP_VER_PRESENT) &&
353 			(probe_req->wscIePresent == 1) &&
354 			(probe_req->probeReqWscIeInfo.DevicePasswordID.id ==
355 				WSC_PASSWD_ID_PUSH_BUTTON) &&
356 			(probe_req->probeReqWscIeInfo.UUID_E.present == 1))) {
357 			if (session->fwdWPSPBCProbeReq) {
358 				QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE,
359 						   QDF_TRACE_LEVEL_DEBUG,
360 						   mac_hdr->sa,
361 						   QDF_MAC_ADDR_SIZE);
362 				QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE,
363 						   QDF_TRACE_LEVEL_DEBUG,
364 						   body_ptr, frame_len);
365 				lim_send_sme_probe_req_ind(mac_ctx, mac_hdr->sa,
366 					body_ptr, frame_len, session);
367 			} else {
368 				uuid = probe_req->probeReqWscIeInfo.UUID_E.uuid;
369 				lim_update_pbc_session_entry(mac_ctx,
370 							     mac_hdr->sa,
371 							     uuid,
372 							     session);
373 			}
374 		}
375 		ssid.length = session->ssId.length;
376 		/* Copy the SSID from session entry to local variable */
377 		qdf_mem_copy(ssid.ssId, session->ssId.ssId,
378 				session->ssId.length);
379 
380 		if (lim_need_broadcast_probe_rsp(session, mac_hdr->da))
381 			qdf_set_macaddr_broadcast((struct qdf_mac_addr *)dst_mac);
382 		else
383 			qdf_mem_copy(dst_mac, mac_hdr->sa, ETH_ALEN);
384 
385 		/*
386 		 * Compare received SSID with current SSID. If they match,
387 		 * reply with Probe Response
388 		 */
389 		if (probe_req->ssId.length) {
390 			if (!ssid.length)
391 				goto multipleSSIDcheck;
392 
393 			if (!qdf_mem_cmp((uint8_t *) &ssid,
394 						(uint8_t *)&probe_req->ssId,
395 						(uint8_t)(ssid.length + 1))) {
396 				lim_send_probe_rsp_mgmt_frame(mac_ctx,
397 						dst_mac, &ssid,
398 						session,
399 						probe_req->p2pIePresent);
400 				goto free_and_exit;
401 			} else if (session->opmode ==
402 					QDF_P2P_GO_MODE) {
403 				uint8_t direct_ssid[7] = "DIRECT-";
404 				uint8_t direct_ssid_len = 7;
405 
406 				if (!qdf_mem_cmp((uint8_t *) &direct_ssid,
407 					(uint8_t *)&probe_req->ssId.ssId,
408 					(uint8_t)(direct_ssid_len))) {
409 					lim_send_probe_rsp_mgmt_frame(
410 						mac_ctx, dst_mac, &ssid,
411 						session,
412 						probe_req->p2pIePresent);
413 					goto free_and_exit;
414 				}
415 			} else {
416 				pe_debug("Ignore ProbeReq frm with unmatch SSID received from SA: "QDF_MAC_ADDR_FMT,
417 					 QDF_MAC_ADDR_REF(mac_hdr->sa));
418 			}
419 		} else {
420 			/*
421 			 * Broadcast SSID in the Probe Request.
422 			 * Reply with SSID we're configured with.
423 			 * Turn off the SSID length to 0 if hidden SSID feature
424 			 * is present
425 			 */
426 			if (session->ssidHidden)
427 				/*
428 				 * We are returning from here as probe request
429 				 * contains the broadcast SSID. So no need to
430 				 * send the probe resp
431 				 */
432 				goto free_and_exit;
433 			lim_send_probe_rsp_mgmt_frame(mac_ctx, dst_mac,
434 						      &ssid,
435 						      session,
436 						      probe_req->p2pIePresent);
437 			goto free_and_exit;
438 		}
439 multipleSSIDcheck:
440 		pe_debug("Ignore ProbeReq frm with unmatch SSID rcved from SA: "QDF_MAC_ADDR_FMT,
441 			 QDF_MAC_ADDR_REF(mac_hdr->sa));
442 	} else {
443 		/* Ignore received Probe Request frame */
444 		pe_debug("Ignoring Probe Request frame received from SA: "QDF_MAC_ADDR_FMT,
445 			 QDF_MAC_ADDR_REF(mac_hdr->sa));
446 	}
447 
448 free_and_exit:
449 	qdf_mem_free(probe_req);
450 	return;
451 }
452 
453 /**
454  * lim_indicate_probe_req_to_hdd
455  *
456  ***FUNCTION:
457  * This function is called by lim_process_probe_req_frame_multiple_bss() upon
458  * Probe Request frame reception.
459  *
460  ***LOGIC:
461  * This function processes received Probe Request frame and Pass
462  * Probe Request Frame to HDD.
463  *
464  * @param  mac              Pointer to Global MAC structure
465  * @param  *pBd              A pointer to Buffer descriptor + associated PDUs
466  * @param  pe_session     A pointer to PE session
467  *
468  * @return None
469  */
470 
471 static void
lim_indicate_probe_req_to_hdd(struct mac_context * mac,uint8_t * pBd,struct pe_session * pe_session)472 lim_indicate_probe_req_to_hdd(struct mac_context *mac, uint8_t *pBd,
473 			      struct pe_session *pe_session)
474 {
475 	tpSirMacMgmtHdr pHdr;
476 	uint32_t frameLen;
477 
478 	pe_debug("Received a probe request frame");
479 
480 	pHdr = WMA_GET_RX_MAC_HEADER(pBd);
481 	frameLen = WMA_GET_RX_PAYLOAD_LEN(pBd);
482 
483 	/* send the probe req to SME. */
484 	lim_send_sme_mgmt_frame_ind(mac, pHdr->fc.subType,
485 				    (uint8_t *) pHdr,
486 				    (frameLen + sizeof(tSirMacMgmtHdr)),
487 				    pe_session->vdev_id,
488 				    WMA_GET_RX_FREQ(pBd),
489 				    WMA_GET_RX_RSSI_NORMALIZED(pBd),
490 				    RXMGMT_FLAG_NONE);
491 } /*** end lim_indicate_probe_req_to_hdd() ***/
492 
493 /**
494  * lim_process_probe_req_frame_multiple_bss() - to process probe req
495  * @mac_ctx: Pointer to Global MAC structure
496  * @buf_descr: A pointer to Buffer descriptor + associated PDUs
497  * @session: A pointer to PE session
498  *
499  * This function is called by limProcessMessageQueue() upon
500  * Probe Request frame reception. This function call
501  * lim_indicate_probe_req_to_hdd function to indicate
502  * Probe Request frame to HDD. It also call lim_process_probe_req_frame
503  * function which process received Probe Request frame and responds
504  * with Probe Response.
505  *
506  * @return None
507  */
508 void
lim_process_probe_req_frame_multiple_bss(struct mac_context * mac_ctx,uint8_t * buf_descr,struct pe_session * session)509 lim_process_probe_req_frame_multiple_bss(struct mac_context *mac_ctx,
510 			uint8_t *buf_descr, struct pe_session *session)
511 {
512 	uint8_t i;
513 	struct wlan_channel *chan;
514 	uint16_t probe_req_freq = WMA_GET_RX_FREQ(buf_descr);
515 
516 	if (session) {
517 		if (LIM_IS_AP_ROLE(session)) {
518 			lim_indicate_probe_req_to_hdd(mac_ctx,
519 					buf_descr, session);
520 		}
521 		lim_process_probe_req_frame(mac_ctx, buf_descr, session);
522 		return;
523 	}
524 
525 	for (i = 0; i < mac_ctx->lim.maxBssId; i++) {
526 		session = pe_find_session_by_session_id(mac_ctx, i);
527 		if (!session)
528 			continue;
529 
530 		if (!LIM_IS_AP_ROLE(session))
531 			continue;
532 
533 		if (wlan_vdev_is_up(session->vdev) != QDF_STATUS_SUCCESS)
534 			continue;
535 
536 		chan = wlan_vdev_get_active_channel(session->vdev);
537 		/**
538 		 * For GO present on 5G/6G/2G band channel and if probe req
539 		 * is received for p2p listen on the listen channel then no
540 		 * need to send probe resp on GO operating channel
541 		 **/
542 		if (!chan || chan->ch_freq != probe_req_freq) {
543 			pe_debug("do not send probe resp to requested probe freq %d",
544 				 probe_req_freq);
545 			continue;
546 		}
547 
548 		lim_indicate_probe_req_to_hdd(mac_ctx,
549 					      buf_descr, session);
550 		lim_process_probe_req_frame(mac_ctx,
551 					    buf_descr, session);
552 	}
553 }
554 
555 /**
556  * lim_send_sme_probe_req_ind()
557  *
558  ***FUNCTION:
559  * This function is to send
560  *  eWNI_SME_WPS_PBC_PROBE_REQ_IND message to host
561  *
562  ***PARAMS:
563  *
564  ***LOGIC:
565  *
566  ***ASSUMPTIONS:
567  * NA
568  *
569  ***NOTE:
570  * This function is used for sending  eWNI_SME_WPS_PBC_PROBE_REQ_IND
571  * to host.
572  *
573  * @param peerMacAddr       Indicates the peer MAC addr that the probe request
574  *                          is generated.
575  * @param pProbeReqIE       pointer to RAW probe request IE
576  * @param ProbeReqIELen     The length of probe request IE.
577  * @param pe_session     A pointer to PE session
578  *
579  * @return None
580  */
581 void
lim_send_sme_probe_req_ind(struct mac_context * mac,tSirMacAddr peerMacAddr,uint8_t * pProbeReqIE,uint32_t ProbeReqIELen,struct pe_session * pe_session)582 lim_send_sme_probe_req_ind(struct mac_context *mac,
583 			   tSirMacAddr peerMacAddr,
584 			   uint8_t *pProbeReqIE,
585 			   uint32_t ProbeReqIELen, struct pe_session *pe_session)
586 {
587 	tSirSmeProbeReqInd *pSirSmeProbeReqInd;
588 	struct scheduler_msg msgQ = {0};
589 
590 	pSirSmeProbeReqInd = qdf_mem_malloc(sizeof(tSirSmeProbeReqInd));
591 	if (!pSirSmeProbeReqInd)
592 		return;
593 
594 	msgQ.type = eWNI_SME_WPS_PBC_PROBE_REQ_IND;
595 	msgQ.bodyval = 0;
596 	msgQ.bodyptr = pSirSmeProbeReqInd;
597 
598 	pSirSmeProbeReqInd->messageType = eWNI_SME_WPS_PBC_PROBE_REQ_IND;
599 	pSirSmeProbeReqInd->length = sizeof(*pSirSmeProbeReqInd);
600 	pSirSmeProbeReqInd->sessionId = pe_session->smeSessionId;
601 
602 	qdf_mem_copy(pSirSmeProbeReqInd->bssid.bytes, pe_session->bssId,
603 		     QDF_MAC_ADDR_SIZE);
604 	qdf_mem_copy(pSirSmeProbeReqInd->WPSPBCProbeReq.peer_macaddr.bytes,
605 		     peerMacAddr, QDF_MAC_ADDR_SIZE);
606 
607 	MTRACE(mac_trace(mac, TRACE_CODE_TX_SME_MSG,
608 				pe_session->peSessionId, msgQ.type));
609 
610 	if (ProbeReqIELen > sizeof(pSirSmeProbeReqInd->WPSPBCProbeReq.
611 	    probeReqIE)) {
612 		ProbeReqIELen = sizeof(pSirSmeProbeReqInd->WPSPBCProbeReq.
613 				       probeReqIE);
614 	}
615 
616 	pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIELen =
617 		(uint16_t) ProbeReqIELen;
618 	qdf_mem_copy(pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIE, pProbeReqIE,
619 		     ProbeReqIELen);
620 
621 	lim_sys_process_mmh_msg_api(mac, &msgQ);
622 
623 } /*** end lim_send_sme_probe_req_ind() ***/
624