Strip trailing zero data in EAPOL-Key msg 1/4 when no PMKID to send

EAPOL-Key message 1/4 without PMKID KDE was sent with 22 bytes of stray data following a zero length key data field. These 22 bytes happens to be the exact size of an PMKID KDE. Strip these trailing bytes by checking whether a PMKID is available and adjust pmkid_len to 0 if not. This was seen for example in capture files created by hwsim test case suite_b_192 but code modified to handle also the other cases without PMKID (Suite B no-KCK, FILS without PMKID available, SAE without PMKID available). Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
5 years ago · 307cfc3286
parent 2c5ccfa607
commit 307cfc3286
1 changed files with 2 additions and 1 deletions
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@ -2169,7 +2169,6 @@ SM_STATE(WPA_PTK, PTKSTART)
 			wpa_printf(MSG_DEBUG,
 				   "FT: No PMKID in message 1/4 when using FT protocol");
 			pmkid = NULL;
-			pmkid_len = 0;
 #endif /* CONFIG_IEEE80211R_AP */
 #ifdef CONFIG_SAE
 		} else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
@ -2199,6 +2198,8 @@ SM_STATE(WPA_PTK, PTKSTART)
 				    &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
 		}
 	}
+	if (!pmkid)
+		pmkid_len = 0;
 	wpa_send_eapol(sm->wpa_auth, sm,
 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
 		       sm->ANonce, pmkid, pmkid_len, 0, 0);