projects / libeap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 148fb67)
FT: Validate protect IE count in FTIE MIC Control
authorJouni Malinen <jouni.malinen@atheros.com>
Fri, 9 Apr 2010 14:08:16 +0000 (17:08 +0300)
committerJouni Malinen <j@w1.fi>
Fri, 9 Apr 2010 14:08:16 +0000 (17:08 +0300)
src/ap/wpa_auth_ft.c patch | blob | history
src/rsn_supp/wpa_ft.c patch | blob | history

diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index bb28163..0c07d20 100644 (file)
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -1094,6 +1094,7 @@ u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
        struct rsn_mdie *mdie;
        struct rsn_ftie *ftie;
        u8 mic[16];
+       unsigned int count;
 
        if (sm == NULL)
                return WLAN_STATUS_UNSPECIFIED_FAILURE;
@@ -1137,6 +1138,16 @@ u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
                return WLAN_STATUS_INVALID_FTIE;
        }
 
+       count = 3;
+       if (parse.ric)
+               count++;
+       if (ftie->mic_control[1] != count) {
+               wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
+                          "Control: received %u expected %u",
+                          ftie->mic_control[1], count);
+               return -1;
+       }
+
        if (wpa_ft_mic(sm->PTK.kck, sm->addr, sm->wpa_auth->addr, 5,
                       parse.mdie - 2, parse.mdie_len + 2,
                       parse.ftie - 2, parse.ftie_len + 2,
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index b474485..50f48ed 100644 (file)
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -839,7 +839,7 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
        struct wpa_ft_ies parse;
        struct rsn_mdie *mdie;
        struct rsn_ftie *ftie;
-       size_t count;
+       unsigned int count;
        u8 mic[16];
 
        wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
@@ -925,6 +925,12 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
        count = 3;
        if (parse.tie)
                count++;
+       if (ftie->mic_control[1] != count) {
+               wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
+                          "Control: received %u expected %u",
+                          ftie->mic_control[1], count);
+               return -1;
+       }
 
        if (wpa_ft_mic(sm->ptk.kck, sm->own_addr, src_addr, 6,
                       parse.mdie - 2, parse.mdie_len + 2,
EAP library