aboutsummaryrefslogtreecommitdiffstats
path: root/src/ap/wpa_auth_ft.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2013-08-24 21:35:10 (GMT)
committerJouni Malinen <j@w1.fi>2013-08-24 21:35:10 (GMT)
commit5bcd5c5a68073a0cb41a373c5cf77a6f1366ea1c (patch)
treebd96cd297bd0d786a9826ec9113c68f8189ea354 /src/ap/wpa_auth_ft.c
parentf84692764a8aa414f0672c867301af2485730c17 (diff)
downloadhostap-5bcd5c5a68073a0cb41a373c5cf77a6f1366ea1c.zip
hostap-5bcd5c5a68073a0cb41a373c5cf77a6f1366ea1c.tar.gz
hostap-5bcd5c5a68073a0cb41a373c5cf77a6f1366ea1c.tar.bz2
FT RRB: Clear pad field to avoid sending out uninitialized data
The pad field in the RRB messages is unused, but it should be initialized to avoid sending out arbitrary data from stack. This was also generating number of valgrind complaints about uninitialized memory accesses in local FT tests. Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/ap/wpa_auth_ft.c')
-rw-r--r--src/ap/wpa_auth_ft.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 1bb5d97..29d9d29 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -329,6 +329,7 @@ static int wpa_ft_pull_pmk_r1(struct wpa_authenticator *wpa_auth,
os_memcpy(f.pmk_r0_name, pmk_r0_name, WPA_PMK_NAME_LEN);
os_memcpy(f.r1kh_id, wpa_auth->conf.r1_key_holder, FT_R1KH_ID_LEN);
os_memcpy(f.s1kh_id, s1kh_id, ETH_ALEN);
+ os_memset(f.pad, 0, sizeof(f.pad));
if (aes_wrap(r0kh->key, (FT_R0KH_R1KH_PULL_DATA_LEN + 7) / 8,
f.nonce, frame.nonce) < 0)
@@ -1317,6 +1318,7 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", r.pmk_r1_name,
WPA_PMK_NAME_LEN);
r.pairwise = host_to_le16(pairwise);
+ os_memset(r.pad, 0, sizeof(r.pad));
if (aes_wrap(r1kh->key, (FT_R0KH_R1KH_RESP_DATA_LEN + 7) / 8,
r.nonce, resp.nonce) < 0) {
@@ -1620,6 +1622,7 @@ static void wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth,
os_get_time(&now);
WPA_PUT_LE32(f.timestamp, now.sec);
f.pairwise = host_to_le16(pairwise);
+ os_memset(f.pad, 0, sizeof(f.pad));
if (aes_wrap(r1kh->key, (FT_R0KH_R1KH_PUSH_DATA_LEN + 7) / 8,
f.timestamp, frame.timestamp) < 0)
return;