WNM: Fix regression in Sleep Mode exit key data parsing

Commit dbfb8e82ff69e6c7969b7cd23e53fd39b3e896e7 changed the Action frame
RX payload pointer design to point to a different field. WNM Sleep Mode
Response handler updated one of the uses to accommodate this change, but
that commit missed another use for key data length. This resulted in GTK
and IGTK being ignored in many cases when waking up from WNM Sleep Mode
with PMF enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 7db6eb69ad0fffa77b959d686d4fca8eac9cfff8..952db0ac046ce3fbae2cc9749bae777bfa675b4e 100644 (file)
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -235,16 +235,20 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
                                        const u8 *frm, int len)
 {
        /*
-        * Action [1] | Diaglog Token [1] | Key Data Len [2] | Key Data |
+        * Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data |
         * WNM-Sleep Mode IE | TFS Response IE
         */
        u8 *pos = (u8 *) frm; /* point to payload after the action field */
-       u16 key_len_total = le_to_host16(*((u16 *)(frm+2)));
+       u16 key_len_total;
        struct wnm_sleep_element *wnmsleep_ie = NULL;
        /* multiple TFS Resp IE (assuming consecutive) */
        u8 *tfsresp_ie_start = NULL;
        u8 *tfsresp_ie_end = NULL;
 
+       if (len < 3)
+               return;
+       key_len_total = WPA_GET_LE16(frm + 1);
+
        wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
                   frm[0], key_len_total);
        pos += 3 + key_len_total;