Date: Mon, 15 Jul 2024 18:46:38 GMT From: Adrian Chadd <adrian@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 3ab5e2977883 - main - net80211: fix RSN capability parsing Message-ID: <202407151846.46FIkc3i087690@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by adrian: URL: https://cgit.FreeBSD.org/src/commit/?id=3ab5e29778835065d80cbb6610ece981ac65c4c7 commit 3ab5e29778835065d80cbb6610ece981ac65c4c7 Author: Adrian Chadd <adrian@FreeBSD.org> AuthorDate: 2024-07-09 16:54:21 +0000 Commit: Adrian Chadd <adrian@FreeBSD.org> CommitDate: 2024-07-15 18:45:40 +0000 net80211: fix RSN capability parsing The RSN capability field may be the last two bytes in the IE. 802.11-2016 9.4.2.25.1 (General) doesn't require anything afterwards - the PMKID/List and Group Management Cipher Suite are optional. Thus having a check of len > 2 will miss the situation where it IS the last field. This showed up when developing MFP, as I'm using optional MFP at home and optional MFP doesn't encrypt group management frames. (It should only add the BIP message integrity check IE in each action frame.) Differential Revision: https://reviews.freebsd.org/D45936 --- sys/net80211/ieee80211_hostap.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/net80211/ieee80211_hostap.c b/sys/net80211/ieee80211_hostap.c index 82d8f8b2907b..1d741ca4d7bf 100644 --- a/sys/net80211/ieee80211_hostap.c +++ b/sys/net80211/ieee80211_hostap.c @@ -1539,9 +1539,14 @@ ieee80211_parse_rsn(struct ieee80211vap *vap, const uint8_t *frm, rsn->rsn_keymgmt = RSN_ASE_8021X_PSK; /* optional RSN capabilities */ - if (len > 2) + if (len >= 2) { rsn->rsn_caps = le16dec(frm); - /* XXXPMKID */ + frm += 2, len -= 2; + } + + /* XXX PMK Count / PMKID */ + + /* XXX Group Cipher Management Suite */ return 0; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202407151846.46FIkc3i087690>