Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-17 17:43:06 -05:00
Code Issues Projects Releases Wiki Activity

Fix memcpy regression in PMK handling

Browse Source 
The memcpy calls added for exposing the PMK from wpa_auth module could
end up trying to copy the same memory buffer on top of itself.
Overlapping memory areas are not allowed with memcpy, so this could
result in undefined behavior. Fix this by making the copies conditional
on the updated value actually coming from somewhere else.

Fixes: b08c9ad0c78d ("AP: Expose PMK outside of wpa_auth module")
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-03-23 12:44:42 +02:00
parent 130444738b
commit 08dc8efd29
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/ap/wpa_auth.c
View File

@ -892,8 +892,10 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
data, data_len) == 0) {
os_memcpy(sm->PMK, pmk, pmk_len);
sm->pmk_len = pmk_len;
if (sm->PMK != pmk) {
os_memcpy(sm->PMK, pmk, pmk_len);
sm->pmk_len = pmk_len;
}
ok = 1;
break;
}
@ -2791,8 +2793,10 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
sm->last_rx_eapol_key,
sm->last_rx_eapol_key_len) == 0) {
os_memcpy(sm->PMK, pmk, pmk_len);
sm->pmk_len = pmk_len;
if (sm->PMK != pmk) {
os_memcpy(sm->PMK, pmk, pmk_len);
sm->pmk_len = pmk_len;
}
ok = 1;
break;
}