Kernel/iwd
3
0
Fork 0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2025-01-03 10:32:33 +01:00
Code Releases Activity

sae: fix incorrect length adjustment

Browse Source 
The commit/confirm processing was incorrectly subtracting 2 from
the length when they should be subtracting 6. As with the other
similar change, the length is validated with mpdu_validate so
subtracting 6 will not cause an overflow.
This commit is contained in:
James Prestwood 2019-10-21 14:59:17 -07:00 committed by Denis Kenzior
parent 47efe17461
commit 27d698a0c0
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/sae.c
View File

@ -1040,10 +1040,10 @@ static int sae_rx_authenticate(struct auth_proto *ap,
switch (L_LE16_TO_CPU(auth->transaction_sequence)) { switch (L_LE16_TO_CPU(auth->transaction_sequence)) {
case SAE_STATE_COMMITTED: case SAE_STATE_COMMITTED:
return sae_process_commit(sm, hdr->address_2, auth->ies, return sae_process_commit(sm, hdr->address_2, auth->ies,
len - 2); len - 6);
case SAE_STATE_CONFIRMED: case SAE_STATE_CONFIRMED:
return sae_process_confirm(sm, hdr->address_2, auth->ies, return sae_process_confirm(sm, hdr->address_2, auth->ies,
len - 2); len - 6);
default: default:
l_error("invalid transaction sequence %u", l_error("invalid transaction sequence %u",
L_LE16_TO_CPU(auth->transaction_sequence)); L_LE16_TO_CPU(auth->transaction_sequence));