FT: Validate protect IE count in FTIE MIC Control
This commit is contained in:
parent
148fb67d5e
commit
8aaf894de2
2 changed files with 18 additions and 1 deletions
|
@ -1094,6 +1094,7 @@ u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
|
|||
struct rsn_mdie *mdie;
|
||||
struct rsn_ftie *ftie;
|
||||
u8 mic[16];
|
||||
unsigned int count;
|
||||
|
||||
if (sm == NULL)
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
|
@ -1137,6 +1138,16 @@ u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
|
|||
return WLAN_STATUS_INVALID_FTIE;
|
||||
}
|
||||
|
||||
count = 3;
|
||||
if (parse.ric)
|
||||
count++;
|
||||
if (ftie->mic_control[1] != count) {
|
||||
wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
|
||||
"Control: received %u expected %u",
|
||||
ftie->mic_control[1], count);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (wpa_ft_mic(sm->PTK.kck, sm->addr, sm->wpa_auth->addr, 5,
|
||||
parse.mdie - 2, parse.mdie_len + 2,
|
||||
parse.ftie - 2, parse.ftie_len + 2,
|
||||
|
|
|
@ -839,7 +839,7 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
|
|||
struct wpa_ft_ies parse;
|
||||
struct rsn_mdie *mdie;
|
||||
struct rsn_ftie *ftie;
|
||||
size_t count;
|
||||
unsigned int count;
|
||||
u8 mic[16];
|
||||
|
||||
wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
|
||||
|
@ -925,6 +925,12 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
|
|||
count = 3;
|
||||
if (parse.tie)
|
||||
count++;
|
||||
if (ftie->mic_control[1] != count) {
|
||||
wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
|
||||
"Control: received %u expected %u",
|
||||
ftie->mic_control[1], count);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (wpa_ft_mic(sm->ptk.kck, sm->own_addr, src_addr, 6,
|
||||
parse.mdie - 2, parse.mdie_len + 2,
|
||||
|
|
Loading…
Reference in a new issue