From 08dc8efd29d2f94c65ba825e808d7284e84d1b2b Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 23 Mar 2019 12:44:42 +0200
Subject: [PATCH] Fix memcpy regression in PMK handling

The memcpy calls added for exposing the PMK from wpa_auth module could
end up trying to copy the same memory buffer on top of itself.
Overlapping memory areas are not allowed with memcpy, so this could
result in undefined behavior. Fix this by making the copies conditional
on the updated value actually coming from somewhere else.

Fixes: b08c9ad0c78d ("AP: Expose PMK outside of wpa_auth module")
Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/ap/wpa_auth.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 166f4786d..078106877 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -892,8 +892,10 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
 
 		if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
 				       data, data_len) == 0) {
-			os_memcpy(sm->PMK, pmk, pmk_len);
-			sm->pmk_len = pmk_len;
+			if (sm->PMK != pmk) {
+				os_memcpy(sm->PMK, pmk, pmk_len);
+				sm->pmk_len = pmk_len;
+			}
 			ok = 1;
 			break;
 		}
@@ -2791,8 +2793,10 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
 		    wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
 				       sm->last_rx_eapol_key,
 				       sm->last_rx_eapol_key_len) == 0) {
-			os_memcpy(sm->PMK, pmk, pmk_len);
-			sm->pmk_len = pmk_len;
+			if (sm->PMK != pmk) {
+				os_memcpy(sm->PMK, pmk, pmk_len);
+				sm->pmk_len = pmk_len;
+			}
 			ok = 1;
 			break;
 		}
-- 
2.47.2