From 03610ad28d1a93cf6f95150ed76f234c1e54ebd5 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 26 Oct 2013 13:30:28 +0300 Subject: [PATCH] Clean up get_seqnum() use for IPN Some driver wrappers may implement this by writing eight octets even though IPN is only six octets. Use a separate WPA_KEY_RSC_LEN (8) octet buffer in the call to make sure there is enough buffer room available for the full returned value and then copy it to IPN field. The previous implementation used the following igtk field as the extra buffer and then initialized that field afterwards, so this change does not fix any real issue in behavior, but it is cleaner to use an explicit buffer of the maximum length for get_seqnum(). Signed-hostap: Jouni Malinen --- src/ap/wpa_auth.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 0286c5b8c..03b15c24a 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -1863,6 +1863,7 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) { struct wpa_igtk_kde igtk; struct wpa_group *gsm = sm->group; + u8 rsc[WPA_KEY_RSC_LEN]; if (!sm->mgmt_frame_prot) return pos; @@ -1870,8 +1871,10 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) igtk.keyid[0] = gsm->GN_igtk; igtk.keyid[1] = 0; if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || - wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0) + wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) os_memset(igtk.pn, 0, sizeof(igtk.pn)); + else + os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); if (sm->wpa_auth->conf.disable_gtk) { /*