diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 3c45f3a02..5d1de4c39 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -2637,7 +2637,6 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) #endif /* CONFIG_IEEE80211W */ u16 keyinfo; u8 keylen; /* plaintext key len */ - u8 keydatalen; u8 *key_rsc; os_memset(&gd, 0, sizeof(gd)); @@ -2655,8 +2654,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) if (subelem_id == WNM_SLEEP_SUBELEM_GTK) { key_rsc = buf + 5; - keyinfo = WPA_GET_LE16(buf+2); - keydatalen = buf[1] - 11 - 8; + keyinfo = WPA_GET_LE16(buf + 2); gd.gtk_len = keylen; if (gd.gtk_len != buf[4]) { wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d", @@ -2667,18 +2665,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) gd.tx = wpa_supplicant_gtk_tx_bit_workaround( sm, !!(keyinfo & WPA_KEY_INFO_TXRX)); - if (keydatalen % 8) { - wpa_printf(MSG_DEBUG, "WPA: Unsupported AES-WRAP len " - "%d", keydatalen); - return -1; - } - - if (aes_unwrap(sm->ptk.kek, keydatalen / 8, buf + 13, gd.gtk)) - { - wpa_printf(MSG_WARNING, "WNM: AES unwrap failed - " - "could not decrypt GTK"); - return -1; - } + os_memcpy(gd.gtk, buf + 13, gd.gtk_len); wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", gd.gtk, gd.gtk_len); @@ -2689,22 +2676,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) } #ifdef CONFIG_IEEE80211W } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { - if (buf[1] != 2 + 6 + WPA_IGTK_LEN + 8) { - wpa_printf(MSG_DEBUG, "WPA: Unsupported AES-WRAP len " - "%d", buf[1] - 2 - 6 - 8); - return -1; - } os_memcpy(igd.keyid, buf + 2, 2); os_memcpy(igd.pn, buf + 4, 6); keyidx = WPA_GET_LE16(igd.keyid); - - if (aes_unwrap(sm->ptk.kek, WPA_IGTK_LEN / 8, buf + 10, - igd.igtk)) { - wpa_printf(MSG_WARNING, "WNM: AES unwrap failed - " - "could not decrypr IGTK"); - return -1; - } + os_memcpy(igd.igtk, buf + 10, WPA_IGTK_LEN); wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)", igd.igtk, WPA_IGTK_LEN); diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 20f0d62e3..f1a1337b9 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -156,8 +156,17 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, wpa_printf(MSG_DEBUG, "action=%d token = %d key_len_total = %d", frm[0], frm[1], key_len_total); pos += 4 + key_len_total; + if (pos > frm + len) { + wpa_printf(MSG_INFO, "WNM: Too short frame for Key Data field"); + return; + } while (pos - frm < len) { u8 ie_len = *(pos + 1); + if (pos + 2 + ie_len > frm + len) { + wpa_printf(MSG_INFO, "WNM: Invalid IE len %u", ie_len); + break; + } + wpa_hexdump(MSG_DEBUG, "WNM: Element", pos, 2 + ie_len); if (*pos == WLAN_EID_WNMSLEEP) wnmsleep_ie = (struct wnm_sleep_element *) pos; else if (*pos == WLAN_EID_TFS_RESP) { @@ -210,9 +219,33 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, do { /* point to key data field */ u8 *ptr = (u8 *) frm + 1 + 1 + 2; - while (ptr < (u8 *) frm + 4 + key_len_total) { + u8 *end = ptr + key_len_total; + wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", + ptr, key_len_total); + while (ptr + 1 < end) { + if (ptr + 2 + ptr[1] > end) { + wpa_printf(MSG_DEBUG, + "WNM: Invalid Key " + "Data element " + "length"); + if (end > ptr) + wpa_hexdump(MSG_DEBUG, "WNM: Remaining data", ptr, end - ptr); + break; + } if (*ptr == WNM_SLEEP_SUBELEM_GTK) { + if (ptr[1] < 11 + 5) { + wpa_printf(MSG_DEBUG, + "WNM: Too short GTK subelem"); + break; + } gtk_len = *(ptr + 4); + if (ptr[1] < 11 + gtk_len || + gtk_len < 5 || gtk_len > 32) + { + wpa_printf(MSG_DEBUG, + "WNM: Invalid GTK subelem"); + break; + } wpa_wnmsleep_install_key( wpa_s->wpa, WNM_SLEEP_SUBELEM_GTK, @@ -221,6 +254,12 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, #ifdef CONFIG_IEEE80211W } else if (*ptr == WNM_SLEEP_SUBELEM_IGTK) { + if (ptr[1] < 2 + 6 + + WPA_IGTK_LEN) { + wpa_printf(MSG_DEBUG, + "WNM: Too short IGTK subelem"); + break; + } wpa_wnmsleep_install_key( wpa_s->wpa, WNM_SLEEP_SUBELEM_IGTK,