From ae2b4827ccbd503905c699a04fa04ba5ceabbb77 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 27 Jun 2016 13:14:28 +0300 Subject: [PATCH] GAS: Check protected/unprotected drop after action code check Apply the GAS specific rule of using Protected Dual of Public Action frame only after having checked that the action code indicates this to be a GAS response. Previously, non-GAS Public Action frames could have been incorrectly dropped because of this check if received during an association with PMF enabled. Signed-off-by: Jouni Malinen --- wpa_supplicant/gas_query.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c index c28fefa4c..824d35c04 100644 --- a/wpa_supplicant/gas_query.c +++ b/wpa_supplicant/gas_query.c @@ -512,6 +512,14 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa, if (gas == NULL || len < 4) return -1; + pos = data; + action = *pos++; + dialog_token = *pos++; + + if (action != WLAN_PA_GAS_INITIAL_RESP && + action != WLAN_PA_GAS_COMEBACK_RESP) + return -1; /* Not a GAS response */ + prot = categ == WLAN_ACTION_PROTECTED_DUAL; pmf = pmf_in_use(gas->wpa_s, sa); if (prot && !pmf) { @@ -523,14 +531,6 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa, return 0; } - pos = data; - action = *pos++; - dialog_token = *pos++; - - if (action != WLAN_PA_GAS_INITIAL_RESP && - action != WLAN_PA_GAS_COMEBACK_RESP) - return -1; /* Not a GAS response */ - query = gas_query_get_pending(gas, sa, dialog_token); if (query == NULL) { wpa_printf(MSG_DEBUG, "GAS: No pending query found for " MACSTR