From 307cfc32866885c8221e8c627c43429208adac7b Mon Sep 17 00:00:00 2001 From: Mikael Kanstrup Date: Tue, 19 Nov 2019 10:51:05 +0100 Subject: [PATCH] Strip trailing zero data in EAPOL-Key msg 1/4 when no PMKID to send EAPOL-Key message 1/4 without PMKID KDE was sent with 22 bytes of stray data following a zero length key data field. These 22 bytes happens to be the exact size of an PMKID KDE. Strip these trailing bytes by checking whether a PMKID is available and adjust pmkid_len to 0 if not. This was seen for example in capture files created by hwsim test case suite_b_192 but code modified to handle also the other cases without PMKID (Suite B no-KCK, FILS without PMKID available, SAE without PMKID available). Signed-off-by: Mikael Kanstrup --- src/ap/wpa_auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 891cdd22a..6611b0e53 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -2169,7 +2169,6 @@ SM_STATE(WPA_PTK, PTKSTART) wpa_printf(MSG_DEBUG, "FT: No PMKID in message 1/4 when using FT protocol"); pmkid = NULL; - pmkid_len = 0; #endif /* CONFIG_IEEE80211R_AP */ #ifdef CONFIG_SAE } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { @@ -2199,6 +2198,8 @@ SM_STATE(WPA_PTK, PTKSTART) &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN); } } + if (!pmkid) + pmkid_len = 0; wpa_send_eapol(sm->wpa_auth, sm, WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, sm->ANonce, pmkid, pmkid_len, 0, 0);