From 4cfa8b92baf6a568f8aa646448b0854addbb6ac2 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 24 Dec 2019 18:54:38 +0200 Subject: [PATCH] Fix wpa_insert_pmkid() when buffer includes extra IEs The case where the old RSNE included one or more PMKIDs and that RSNE was followed by another IE was handled incorrectly since the os_memmove() to move the end of the buffer when removing old PMKIDs was stopping copying at the end of the RSNE, not the end of the IE buffer. This could result in corrupting the IE that followed the RSNE. In practice, this broke FT-SAE with H2E by corrupting the RSNXE that is in the buffer after the RSNE. Fix this by copying the full end of the buffer (i.e., including the following RSNXE in the visible error case) when removing the old PMKIDs. Signed-off-by: Jouni Malinen --- src/common/wpa_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index ea9f7a21c..de4b6ecd2 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -2200,7 +2200,7 @@ int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid) "RSN: Remove %u old PMKID(s) from RSNE", num_pmkid); after = rpos + 2 + num_pmkid * PMKID_LEN; - os_memmove(rpos + 2, after, rend - after); + os_memmove(rpos + 2, after, end - after); start[1] -= num_pmkid * PMKID_LEN; added -= num_pmkid * PMKID_LEN; }