Fix PMKID addition to RSN element when RSN Capabilities are not present

This code path could not be hit with the RSNE generated by hostapd or
wpa_supplicant, but it is now possible to reach when using
own_ie_override test functionality. The RSNE and IE buffer length were
not updated correct in case wpa_insert_pmkid() had to add the RSN
Capabilities field.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-08 19:19:57 +03:00
parent bc02843e75
commit 3bc25adbbc

View file

@ -1292,6 +1292,9 @@ int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid)
os_memmove(rpos + 2, rpos, end - rpos); os_memmove(rpos + 2, rpos, end - rpos);
*rpos++ = 0; *rpos++ = 0;
*rpos++ = 0; *rpos++ = 0;
added += 2;
start[1] += 2;
rend = rpos;
} else { } else {
/* Skip RSN Capabilities */ /* Skip RSN Capabilities */
rpos += 2; rpos += 2;
@ -1304,7 +1307,7 @@ int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid)
if (rpos == rend) { if (rpos == rend) {
/* No PMKID-Count field included; add it */ /* No PMKID-Count field included; add it */
os_memmove(rpos + 2 + PMKID_LEN, rpos, end - rpos); os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
WPA_PUT_LE16(rpos, 1); WPA_PUT_LE16(rpos, 1);
rpos += 2; rpos += 2;
os_memcpy(rpos, pmkid, PMKID_LEN); os_memcpy(rpos, pmkid, PMKID_LEN);
@ -1319,7 +1322,7 @@ int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid)
} }
WPA_PUT_LE16(rpos, 1); WPA_PUT_LE16(rpos, 1);
rpos += 2; rpos += 2;
os_memmove(rpos + PMKID_LEN, rpos, end - rpos); os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
os_memcpy(rpos, pmkid, PMKID_LEN); os_memcpy(rpos, pmkid, PMKID_LEN);
added += PMKID_LEN; added += PMKID_LEN;
start[1] += PMKID_LEN; start[1] += PMKID_LEN;