From: Veerendranath Jakkam Date: Thu, 14 Oct 2021 13:26:14 +0000 (+0530) Subject: PMKSA: Make sure reauth time is not greater than expiration time X-Git-Tag: hostap_2_10~131 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f634b0032a0d7f2a43078f3c14435b1ba143eba;p=thirdparty%2Fhostap.git PMKSA: Make sure reauth time is not greater than expiration time While creating a cloned PMKSA entry for OKC both expiration and reauth_time values are set to maximum values, but later only the expiration time is copied from the old PMKSA entry to the new PMKSA entry. Due to this there is a possibility of reauth_time becoming greater than expiration time in some cloned entries. To avoid this copy reauth_time also to the cloned entry. Also, add check to reject control interface commands with reauth time greater than expiration time. Signed-off-by: Veerendranath Jakkam --- diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c index 97a01a2f8..bd93c7ac7 100644 --- a/src/rsn_supp/pmksa_cache.c +++ b/src/rsn_supp/pmksa_cache.c @@ -378,6 +378,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, { struct rsn_pmksa_cache_entry *new_entry; os_time_t old_expiration = old_entry->expiration; + os_time_t old_reauth_time = old_entry->reauth_time; const u8 *pmkid = NULL; if (wpa_key_mgmt_sae(old_entry->akmp) || @@ -394,6 +395,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, /* TODO: reorder entries based on expiration time? */ new_entry->expiration = old_expiration; + new_entry->reauth_time = old_reauth_time; new_entry->opportunistic = 1; return new_entry; diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 9875b22e7..9dc17f5ee 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -10624,6 +10624,8 @@ static int wpas_ctrl_iface_pmksa_add(struct wpa_supplicant *wpa_s, if (sscanf(pos, "%d %d %d %d", &reauth_time, &expiration, &entry->akmp, &entry->opportunistic) != 4) goto fail; + if (reauth_time > expiration) + goto fail; for (i = 0; i < 4; i++) { pos = os_strchr(pos, ' '); if (!pos) {