From 8aa91282a135d2ac611980338912ae00305b6f68 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 22 Aug 2020 14:00:34 +0300 Subject: [PATCH] Fix EAPOL-Key msg 1/4 processing in a corner case If reassoc_same_bss_optim=1 is used to optimize reassociation back to the same BSS, it was possible for sm->pmk_len to be 0 due to a disconnection event getting processed after sending out the reassociation request. This resulted in wpa_sm_rx_eapol() calling wpa_mic_len() with incorrect PMK length when PMKSA caching was being attempted. That resulted in incorrect mic_len getting determined and not finding the correct Key Data Length field value. This could result in failing to complete 4-way handshake successfully. Fix this by updating the current PMK length based on the selected PMKSA cache entry if sm->pmk_len is not set when processing EAPOL-Key msg 1/4. Signed-off-by: Jouni Malinen --- src/rsn_supp/wpa.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 7b1218f16..b41e6e427 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -2451,13 +2451,16 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, u8 *tmp = NULL; int ret = -1; u8 *mic, *key_data; - size_t mic_len, keyhdrlen; + size_t mic_len, keyhdrlen, pmk_len; #ifdef CONFIG_IEEE80211R sm->ft_completed = 0; #endif /* CONFIG_IEEE80211R */ - mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); + pmk_len = sm->pmk_len; + if (!pmk_len && sm->cur_pmksa) + pmk_len = sm->cur_pmksa->pmk_len; + mic_len = wpa_mic_len(sm->key_mgmt, pmk_len); keyhdrlen = sizeof(*key) + mic_len + 2; if (len < sizeof(*hdr) + keyhdrlen) {