aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wnm_sta.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-04-05 16:52:18 (GMT)
committerJouni Malinen <j@w1.fi>2014-04-05 17:42:13 (GMT)
commit9a147ba18d097cd2a313c578ca0af33718c0be41 (patch)
treea3307818f4ee4688c4ee0ef0b40d6aa75f9cd2e6 /wpa_supplicant/wnm_sta.c
parentb2edaa43338634647c3c0faafa10f57c04e7a8f7 (diff)
downloadhostap-9a147ba18d097cd2a313c578ca0af33718c0be41.zip
hostap-9a147ba18d097cd2a313c578ca0af33718c0be41.tar.gz
hostap-9a147ba18d097cd2a313c578ca0af33718c0be41.tar.bz2
WNM: Fix regression in Sleep Mode exit key data parsing
Commit dbfb8e82ff69e6c7969b7cd23e53fd39b3e896e7 changed the Action frame RX payload pointer design to point to a different field. WNM Sleep Mode Response handler updated one of the uses to accommodate this change, but that commit missed another use for key data length. This resulted in GTK and IGTK being ignored in many cases when waking up from WNM Sleep Mode with PMF enabled. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wnm_sta.c')
-rw-r--r--wpa_supplicant/wnm_sta.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 7db6eb6..952db0a 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -235,16 +235,20 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
const u8 *frm, int len)
{
/*
- * Action [1] | Diaglog Token [1] | Key Data Len [2] | Key Data |
+ * Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data |
* WNM-Sleep Mode IE | TFS Response IE
*/
u8 *pos = (u8 *) frm; /* point to payload after the action field */
- u16 key_len_total = le_to_host16(*((u16 *)(frm+2)));
+ u16 key_len_total;
struct wnm_sleep_element *wnmsleep_ie = NULL;
/* multiple TFS Resp IE (assuming consecutive) */
u8 *tfsresp_ie_start = NULL;
u8 *tfsresp_ie_end = NULL;
+ if (len < 3)
+ return;
+ key_len_total = WPA_GET_LE16(frm + 1);
+
wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
frm[0], key_len_total);
pos += 3 + key_len_total;