Clean up get_seqnum() use for IPN
Some driver wrappers may implement this by writing eight octets even though IPN is only six octets. Use a separate WPA_KEY_RSC_LEN (8) octet buffer in the call to make sure there is enough buffer room available for the full returned value and then copy it to IPN field. The previous implementation used the following igtk field as the extra buffer and then initialized that field afterwards, so this change does not fix any real issue in behavior, but it is cleaner to use an explicit buffer of the maximum length for get_seqnum(). Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
29179b881e
commit
03610ad28d
1 changed files with 4 additions and 1 deletions
|
|
@ -1863,6 +1863,7 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
|
|||
{
|
||||
struct wpa_igtk_kde igtk;
|
||||
struct wpa_group *gsm = sm->group;
|
||||
u8 rsc[WPA_KEY_RSC_LEN];
|
||||
|
||||
if (!sm->mgmt_frame_prot)
|
||||
return pos;
|
||||
|
|
@ -1870,8 +1871,10 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
|
|||
igtk.keyid[0] = gsm->GN_igtk;
|
||||
igtk.keyid[1] = 0;
|
||||
if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
|
||||
wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0)
|
||||
wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
|
||||
os_memset(igtk.pn, 0, sizeof(igtk.pn));
|
||||
else
|
||||
os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
|
||||
os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
|
||||
if (sm->wpa_auth->conf.disable_gtk) {
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in a new issue