From d42df8d6ce81d47aea8059c45e3db5c51897f7e8 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 28 Apr 2019 16:24:32 +0300
Subject: [PATCH] Fix a regression in storing of external_auth SSID/BSSID

An earlier change in drivers_ops API for struct external_auth broke the
way SSID and BSSID for an external authentication request were stored.
The implementation depended on the memory array being available in the
API struct with a use of memcpy() to copy the full structure even though
when only SSID and BSSID was needed. Fix this by replacing that
easy-to-break storing mechanism with explicit arrays for the exact set
of needed information.

Fixes: dd1a8cef4c05 ("Remove unnecessary copying of SSID and BSSID for external_auth")
Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wpa_supplicant/sme.c              | 19 ++++++++++++-------
 wpa_supplicant/wpa_supplicant_i.h |  4 +++-
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 17a984d1a..e2cc439ea 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -965,9 +965,9 @@ static void sme_send_external_auth_status(struct wpa_supplicant *wpa_s,
 
 	os_memset(&params, 0, sizeof(params));
 	params.status = status;
-	params.ssid = wpa_s->sme.ext_auth.ssid;
-	params.ssid_len = wpa_s->sme.ext_auth.ssid_len;
-	params.bssid = wpa_s->sme.ext_auth.bssid;
+	params.ssid = wpa_s->sme.ext_auth_ssid;
+	params.ssid_len = wpa_s->sme.ext_auth_ssid_len;
+	params.bssid = wpa_s->sme.ext_auth_bssid;
 	wpa_drv_send_external_auth_status(wpa_s, &params);
 }
 
@@ -1032,8 +1032,13 @@ void sme_external_auth_trigger(struct wpa_supplicant *wpa_s,
 		return;
 
 	if (data->external_auth.action == EXT_AUTH_START) {
-		os_memcpy(&wpa_s->sme.ext_auth, data,
-			  sizeof(struct external_auth));
+		if (!data->external_auth.bssid || !data->external_auth.ssid)
+			return;
+		os_memcpy(wpa_s->sme.ext_auth_bssid, data->external_auth.bssid,
+			  ETH_ALEN);
+		os_memcpy(wpa_s->sme.ext_auth_ssid, data->external_auth.ssid,
+			  data->external_auth.ssid_len);
+		wpa_s->sme.ext_auth_ssid_len = data->external_auth.ssid_len;
 		wpa_s->sme.seq_num = 0;
 		wpa_s->sme.sae.state = SAE_NOTHING;
 		wpa_s->sme.sae.send_confirm = 0;
@@ -1091,7 +1096,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
 						wpa_s->current_ssid, 2);
 		else
 			sme_external_auth_send_sae_commit(
-				wpa_s, wpa_s->sme.ext_auth.bssid,
+				wpa_s, wpa_s->sme.ext_auth_bssid,
 				wpa_s->current_ssid);
 		return 0;
 	}
@@ -1110,7 +1115,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
 						wpa_s->current_ssid, 1);
 		else
 			sme_external_auth_send_sae_commit(
-				wpa_s, wpa_s->sme.ext_auth.bssid,
+				wpa_s, wpa_s->sme.ext_auth_bssid,
 				wpa_s->current_ssid);
 		return 0;
 	}
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 8ea3c5a1d..b51390ba3 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -802,7 +802,9 @@ struct wpa_supplicant {
 		int sae_group_index;
 		unsigned int sae_pmksa_caching:1;
 		u16 seq_num;
-		struct external_auth ext_auth;
+		u8 ext_auth_bssid[ETH_ALEN];
+		u8 ext_auth_ssid[SSID_MAX_LEN];
+		size_t ext_auth_ssid_len;
 #endif /* CONFIG_SAE */
 	} sme;
 #endif /* CONFIG_SME */