From e44bd28cd1d9419d38561d6ce618481f0d3b5c16 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 10 Dec 2015 00:11:00 +0200 Subject: [PATCH] FT: Fix sm->assoc_resp_ftie storing on the AP side The FTIE from (Re)Association Response frame was copied before calculating the MIC. This resulted in incorrect value being used when comparing the EAPOL-Key msg 2/4 value in case PTK rekeying was used after FT protocol run. Fix this by storing the element after the MIC field has been filled in. Signed-off-by: Jouni Malinen --- src/ap/wpa_auth_ft.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index eeaffbf63..42242a54a 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -720,11 +720,6 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos, ftie_len = res; pos += res; - os_free(sm->assoc_resp_ftie); - sm->assoc_resp_ftie = os_malloc(ftie_len); - if (sm->assoc_resp_ftie) - os_memcpy(sm->assoc_resp_ftie, ftie, ftie_len); - _ftie = (struct rsn_ftie *) (ftie + 2); if (auth_alg == WLAN_AUTH_FT) _ftie->mic_control[1] = 3; /* Information element count */ @@ -750,6 +745,11 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos, _ftie->mic) < 0) wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC"); + os_free(sm->assoc_resp_ftie); + sm->assoc_resp_ftie = os_malloc(ftie_len); + if (sm->assoc_resp_ftie) + os_memcpy(sm->assoc_resp_ftie, ftie, ftie_len); + return pos; }