WNM: Fix regression in Sleep Mode exit key data parsing

Commit dbfb8e82ff changed the Action frame
RX payload pointer design to point to a different field. WNM Sleep Mode
Response handler updated one of the uses to accommodate this change, but
that commit missed another use for key data length. This resulted in GTK
and IGTK being ignored in many cases when waking up from WNM Sleep Mode
with PMF enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-04-05 19:52:18 +03:00
parent b2edaa4333
commit 9a147ba18d

View file

@ -235,16 +235,20 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
const u8 *frm, int len)
{
/*
* Action [1] | Diaglog Token [1] | Key Data Len [2] | Key Data |
* Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data |
* WNM-Sleep Mode IE | TFS Response IE
*/
u8 *pos = (u8 *) frm; /* point to payload after the action field */
u16 key_len_total = le_to_host16(*((u16 *)(frm+2)));
u16 key_len_total;
struct wnm_sleep_element *wnmsleep_ie = NULL;
/* multiple TFS Resp IE (assuming consecutive) */
u8 *tfsresp_ie_start = NULL;
u8 *tfsresp_ie_end = NULL;
if (len < 3)
return;
key_len_total = WPA_GET_LE16(frm + 1);
wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
frm[0], key_len_total);
pos += 3 + key_len_total;