Fix wpa_insert_pmkid() when buffer includes extra IEs

The case where the old RSNE included one or more PMKIDs and that RSNE
was followed by another IE was handled incorrectly since the
os_memmove() to move the end of the buffer when removing old PMKIDs was
stopping copying at the end of the RSNE, not the end of the IE buffer.
This could result in corrupting the IE that followed the RSNE. In
practice, this broke FT-SAE with H2E by corrupting the RSNXE that is in
the buffer after the RSNE.

Fix this by copying the full end of the buffer (i.e., including the
following RSNXE in the visible error case) when removing the old PMKIDs.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index ea9f7a21ceb7d4097c3669285b349951a6e64b11..de4b6ecd2993c24ab3144304a2de75382c43487a 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -2200,7 +2200,7 @@ int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid)
                                   "RSN: Remove %u old PMKID(s) from RSNE",
                                   num_pmkid);
                        after = rpos + 2 + num_pmkid * PMKID_LEN;
-                       os_memmove(rpos + 2, after, rend - after);
+                       os_memmove(rpos + 2, after, end - after);
                        start[1] -= num_pmkid * PMKID_LEN;
                        added -= num_pmkid * PMKID_LEN;
                }