diff options
author | Damien Bergamini <damien@cvs.openbsd.org> | 2007-08-01 13:25:20 +0000 |
---|---|---|
committer | Damien Bergamini <damien@cvs.openbsd.org> | 2007-08-01 13:25:20 +0000 |
commit | c06eac6c8ad771676ef9611ef3f640f5f6b7a4b1 (patch) | |
tree | 8244b288000b05a3f2bac984613f1b3d3fd535af | |
parent | 57007e190caa6c38b3f1350bfc68fa647975af14 (diff) |
check the key length field in message 3 of the 4-way handshake.
change ieee80211_recv_eapol() so that it is called without the
ethernet header striped.
-rw-r--r-- | sys/net80211/ieee80211_input.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index 289d21ee428..a8a6052366d 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -1,5 +1,5 @@ /* $NetBSD: ieee80211_input.c,v 1.24 2004/05/31 11:12:24 dyoung Exp $ */ -/* $OpenBSD: ieee80211_input.c,v 1.53 2007/08/01 12:59:33 damien Exp $ */ +/* $OpenBSD: ieee80211_input.c,v 1.54 2007/08/01 13:25:19 damien Exp $ */ /*- * Copyright (c) 2001 Atsushi Onoe * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting @@ -2123,7 +2123,10 @@ ieee80211_recv_4way_msg3(struct ieee80211com *ic, memset(&k, 0, sizeof k); k.k_cipher = ni->ni_pairwise_cipher; k.k_flags = IEEE80211_KEY_TX; - k.k_len = ieee80211_cipher_keylen(k.k_cipher); + k.k_len = BE_READ_2(key->keylen); + /* check that key length matches pairwise cipher */ + if (k.k_len != ieee80211_cipher_keylen(k.k_cipher)) + return; memcpy(k.k_key, ni->ni_ptk.tk, k.k_len); if ((*ic->ic_set_key)(ic, ni, &k) != 0) return; @@ -2430,7 +2433,7 @@ ieee80211_print_eapol_key(struct ieee80211com *ic, /* * Process an incoming EAPOL frame. Notice that we are only interested in - * EAPOL-Key frames with an IEEE 802.11 descriptor type. + * EAPOL-Key frames with an IEEE 802.11 or WPA1 descriptor type. */ void ieee80211_recv_eapol(struct ieee80211com *ic, struct mbuf *m0, @@ -2439,9 +2442,10 @@ ieee80211_recv_eapol(struct ieee80211com *ic, struct mbuf *m0, struct ieee80211_eapol_key *key; u_int16_t info; - if (m0->m_len < sizeof(*key)) + if (m0->m_len < sizeof(struct ether_header) + sizeof(*key)) goto out; + m_adj(m, sizeof(struct ether_header)); key = mtod(m0, struct ieee80211_eapol_key *); if (key->type != EAPOL_KEY || |