From 1489fcf87dbe6dc6a0e38e408a9e629072742251 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 24 Nov 2017 12:21:18 +0200 Subject: [PATCH] FILS: Do not leave error value in left counter If fils_decrypt_assoc() were to fail on the AP side, the previous implementation could have continued through the response generation using left = -1. That could have resulted in unexpected processing if this value were to be used as the length of the remaining (unencrypted) IEs. Fix this by not updating left in the failure case. Fixes: 78815f3dde6e ("FILS: Decrypt Association Request elements and check Key-Auth (AP)") Signed-off-by: Jouni Malinen --- src/ap/ieee802_11.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 8f5ae87c2..8a307f32b 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -3221,6 +3221,8 @@ static void handle_assoc(struct hostapd_data *hapd, if (sta->auth_alg == WLAN_AUTH_FILS_SK || sta->auth_alg == WLAN_AUTH_FILS_SK_PFS || sta->auth_alg == WLAN_AUTH_FILS_PK) { + int res; + /* The end of the payload is encrypted. Need to decrypt it * before parsing. */ @@ -3230,13 +3232,14 @@ static void handle_assoc(struct hostapd_data *hapd, goto fail; } - left = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt, - len, tmp, left); - if (left < 0) { + res = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt, + len, tmp, left); + if (res < 0) { resp = WLAN_STATUS_UNSPECIFIED_FAILURE; goto fail; } pos = tmp; + left = res; } #endif /* CONFIG_FILS */