From 3bc25adbbc961e69e90b56edc0d17ba8dbd5ae4d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 8 Aug 2015 19:19:57 +0300 Subject: [PATCH] Fix PMKID addition to RSN element when RSN Capabilities are not present This code path could not be hit with the RSNE generated by hostapd or wpa_supplicant, but it is now possible to reach when using own_ie_override test functionality. The RSNE and IE buffer length were not updated correct in case wpa_insert_pmkid() had to add the RSN Capabilities field. Signed-off-by: Jouni Malinen --- src/common/wpa_common.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index 3d64c98..0492810 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -1292,6 +1292,9 @@ int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid) os_memmove(rpos + 2, rpos, end - rpos); *rpos++ = 0; *rpos++ = 0; + added += 2; + start[1] += 2; + rend = rpos; } else { /* Skip RSN Capabilities */ rpos += 2; @@ -1304,7 +1307,7 @@ int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid) if (rpos == rend) { /* No PMKID-Count field included; add it */ - os_memmove(rpos + 2 + PMKID_LEN, rpos, end - rpos); + os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos); WPA_PUT_LE16(rpos, 1); rpos += 2; os_memcpy(rpos, pmkid, PMKID_LEN); @@ -1319,7 +1322,7 @@ int wpa_insert_pmkid(u8 *ies, size_t ies_len, const u8 *pmkid) } WPA_PUT_LE16(rpos, 1); rpos += 2; - os_memmove(rpos + PMKID_LEN, rpos, end - rpos); + os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos); os_memcpy(rpos, pmkid, PMKID_LEN); added += PMKID_LEN; start[1] += PMKID_LEN; -- 2.1.4