From 07a9fc6c09b7e9f2e6ed4e9f3da0cfd38936c82d Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Tue, 27 Sep 2022 12:47:26 -0700 Subject: [PATCH] ft: update action response parsing to include header Now the full action frame including the header is provided to ft which breaks the existing parser since it assumes the buffer starts at the body of the message. --- src/ft.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/ft.c b/src/ft.c index fc9111bc..de628941 100644 --- a/src/ft.c +++ b/src/ft.c @@ -579,13 +579,18 @@ int ft_over_ds_parse_action_response(const uint8_t *frame, size_t frame_len, const uint8_t **ies_out, size_t *ies_len) { + struct mmpdu_header *hdr = (struct mmpdu_header *)frame; + size_t hdr_len = mmpdu_header_len(hdr); uint16_t status; const uint8_t *aa; const uint8_t *spa; - if (frame_len < 16) + if (frame_len < hdr_len + 16) return -EINVAL; + frame += hdr_len; + frame_len -= hdr_len; + /* Category FT */ if (frame[0] != 6) return -EINVAL; @@ -597,6 +602,9 @@ int ft_over_ds_parse_action_response(const uint8_t *frame, size_t frame_len, spa = frame + 2; aa = frame + 8; + if (memcmp(spa, hdr->address_1, 6)) + return -EINVAL; + status = l_get_le16(frame + 14); if (status != 0) return (int)status;