From 9a147ba18d097cd2a313c578ca0af33718c0be41 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 5 Apr 2014 19:52:18 +0300 Subject: [PATCH] WNM: Fix regression in Sleep Mode exit key data parsing Commit dbfb8e82ff69e6c7969b7cd23e53fd39b3e896e7 changed the Action frame RX payload pointer design to point to a different field. WNM Sleep Mode Response handler updated one of the uses to accommodate this change, but that commit missed another use for key data length. This resulted in GTK and IGTK being ignored in many cases when waking up from WNM Sleep Mode with PMF enabled. Signed-off-by: Jouni Malinen --- wpa_supplicant/wnm_sta.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 7db6eb69a..952db0ac0 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -235,16 +235,20 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, const u8 *frm, int len) { /* - * Action [1] | Diaglog Token [1] | Key Data Len [2] | Key Data | + * Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data | * WNM-Sleep Mode IE | TFS Response IE */ u8 *pos = (u8 *) frm; /* point to payload after the action field */ - u16 key_len_total = le_to_host16(*((u16 *)(frm+2))); + u16 key_len_total; struct wnm_sleep_element *wnmsleep_ie = NULL; /* multiple TFS Resp IE (assuming consecutive) */ u8 *tfsresp_ie_start = NULL; u8 *tfsresp_ie_end = NULL; + if (len < 3) + return; + key_len_total = WPA_GET_LE16(frm + 1); + wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d", frm[0], key_len_total); pos += 3 + key_len_total;