WNM: Fix regression in Sleep Mode exit key data parsing

Commit dbfb8e82ff69e6c7969b7cd23e53fd39b3e896e7 changed the Action frame
RX payload pointer design to point to a different field. WNM Sleep Mode
Response handler updated one of the uses to accommodate this change, but
that commit missed another use for key data length. This resulted in GTK
and IGTK being ignored in many cases when waking up from WNM Sleep Mode
with PMF enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 7db6eb6..952db0a 100644 (file)
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -235,16 +235,20 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
                                        const u8 *frm, int len)
 {
        /*
-        * Action [1] | Diaglog Token [1] | Key Data Len [2] | Key Data |
+        * Action [1] | Dialog Token [1] | Key Data Len [2] | Key Data |
         * WNM-Sleep Mode IE | TFS Response IE
         */
        u8 *pos = (u8 *) frm; /* point to payload after the action field */
-       u16 key_len_total = le_to_host16(*((u16 *)(frm+2)));
+       u16 key_len_total;
        struct wnm_sleep_element *wnmsleep_ie = NULL;
        /* multiple TFS Resp IE (assuming consecutive) */
        u8 *tfsresp_ie_start = NULL;
        u8 *tfsresp_ie_end = NULL;
 
+       if (len < 3)
+               return;
+       key_len_total = WPA_GET_LE16(frm + 1);
+
        wpa_printf(MSG_DEBUG, "WNM-Sleep Mode Response token=%u key_len_total=%d",
                   frm[0], key_len_total);
        pos += 3 + key_len_total;