jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

FT: Validate protect IE count in FTIE MIC Control

Browse source
This commit is contained in:
Jouni Malinen 2010-04-09 17:08:16 +03:00 committed by Jouni Malinen
parent 148fb67d5e
commit 8aaf894de2
2 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/ap/wpa_auth_ft.c
View file

@ -1094,6 +1094,7 @@ u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
struct rsn_mdie *mdie;
struct rsn_ftie *ftie;
u8 mic[16];
unsigned int count;
if (sm == NULL)
return WLAN_STATUS_UNSPECIFIED_FAILURE;
@ -1137,6 +1138,16 @@ u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
return WLAN_STATUS_INVALID_FTIE;
}
count = 3;
if (parse.ric)
count++;
if (ftie->mic_control[1] != count) {
wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
"Control: received %u expected %u",
ftie->mic_control[1], count);
return -1;
}
if (wpa_ft_mic(sm->PTK.kck, sm->addr, sm->wpa_auth->addr, 5,
parse.mdie - 2, parse.mdie_len + 2,
parse.ftie - 2, parse.ftie_len + 2,

8
src/rsn_supp/wpa_ft.c
View file

@ -839,7 +839,7 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
struct wpa_ft_ies parse;
struct rsn_mdie *mdie;
struct rsn_ftie *ftie;
size_t count;
unsigned int count;
u8 mic[16];
wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
@ -925,6 +925,12 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
count = 3;
if (parse.tie)
count++;
if (ftie->mic_control[1] != count) {
wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
"Control: received %u expected %u",
ftie->mic_control[1], count);
return -1;
}
if (wpa_ft_mic(sm->ptk.kck, sm->own_addr, src_addr, 6,
parse.mdie - 2, parse.mdie_len + 2,