GAS: Check protected/unprotected drop after action code check

Apply the GAS specific rule of using Protected Dual of Public Action
frame only after having checked that the action code indicates this to
be a GAS response. Previously, non-GAS Public Action frames could have
been incorrectly dropped because of this check if received during an
association with PMF enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c
index c28fefa..824d35c 100644 (file)
--- a/wpa_supplicant/gas_query.c
+++ b/wpa_supplicant/gas_query.c
@@ -512,6 +512,14 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
        if (gas == NULL || len < 4)
                return -1;
 
+       pos = data;
+       action = *pos++;
+       dialog_token = *pos++;
+
+       if (action != WLAN_PA_GAS_INITIAL_RESP &&
+           action != WLAN_PA_GAS_COMEBACK_RESP)
+               return -1; /* Not a GAS response */
+
        prot = categ == WLAN_ACTION_PROTECTED_DUAL;
        pmf = pmf_in_use(gas->wpa_s, sa);
        if (prot && !pmf) {
@@ -523,14 +531,6 @@ int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa,
                return 0;
        }
 
-       pos = data;
-       action = *pos++;
-       dialog_token = *pos++;
-
-       if (action != WLAN_PA_GAS_INITIAL_RESP &&
-           action != WLAN_PA_GAS_COMEBACK_RESP)
-               return -1; /* Not a GAS response */
-
        query = gas_query_get_pending(gas, sa, dialog_token);
        if (query == NULL) {
                wpa_printf(MSG_DEBUG, "GAS: No pending query found for " MACSTR