From: Jouni Malinen Date: Sat, 26 Oct 2013 10:30:28 +0000 (+0300) Subject: Clean up get_seqnum() use for IPN X-Git-Tag: hostap_2_1~783 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03610ad28d1a93cf6f95150ed76f234c1e54ebd5;p=thirdparty%2Fhostap.git Clean up get_seqnum() use for IPN Some driver wrappers may implement this by writing eight octets even though IPN is only six octets. Use a separate WPA_KEY_RSC_LEN (8) octet buffer in the call to make sure there is enough buffer room available for the full returned value and then copy it to IPN field. The previous implementation used the following igtk field as the extra buffer and then initialized that field afterwards, so this change does not fix any real issue in behavior, but it is cleaner to use an explicit buffer of the maximum length for get_seqnum(). Signed-hostap: Jouni Malinen --- diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 0286c5b8c..03b15c24a 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -1863,6 +1863,7 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) { struct wpa_igtk_kde igtk; struct wpa_group *gsm = sm->group; + u8 rsc[WPA_KEY_RSC_LEN]; if (!sm->mgmt_frame_prot) return pos; @@ -1870,8 +1871,10 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) igtk.keyid[0] = gsm->GN_igtk; igtk.keyid[1] = 0; if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || - wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0) + wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) os_memset(igtk.pn, 0, sizeof(igtk.pn)); + else + os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN); if (sm->wpa_auth->conf.disable_gtk) { /*