Strip trailing zero data in EAPOL-Key msg 1/4 when no PMKID to send

EAPOL-Key message 1/4 without PMKID KDE was sent with 22 bytes of stray
data following a zero length key data field. These 22 bytes happens to
be the exact size of an PMKID KDE. Strip these trailing bytes by
checking whether a PMKID is available and adjust pmkid_len to 0 if not.

This was seen for example in capture files created by hwsim test case
suite_b_192 but code modified to handle also the other cases without
PMKID (Suite B no-KCK, FILS without PMKID available, SAE without PMKID
available).

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 891cdd22aa3b5966bb89d887ea32c3d1c89b95b3..6611b0e534886f7463f2e3c0a3f65b96ed23a885 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2169,7 +2169,6 @@ SM_STATE(WPA_PTK, PTKSTART)
                        wpa_printf(MSG_DEBUG,
                                   "FT: No PMKID in message 1/4 when using FT protocol");
                        pmkid = NULL;
-                       pmkid_len = 0;
 #endif /* CONFIG_IEEE80211R_AP */
 #ifdef CONFIG_SAE
                } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
@@ -2199,6 +2198,8 @@ SM_STATE(WPA_PTK, PTKSTART)
                                    &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
                }
        }
+       if (!pmkid)
+               pmkid_len = 0;
        wpa_send_eapol(sm->wpa_auth, sm,
                       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
                       sm->ANonce, pmkid, pmkid_len, 0, 0);