From 3ce48c440e311c6c128aa3658b24ad1ef6384cf4 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 8 Dec 2018 13:57:51 +0200 Subject: [PATCH] HS 2.0: Fix PMF-in-use check for ANQP Venue URL processing The previous implementation did not check that we are associated with the sender of the GAS response before checking for PMF status. This could have accepted Venue URL when not in associated state. Fix this by explicitly checking for association with the responder first. This fixes an issue that was detected, e.g., with these hwsim test case sequences: gas_anqp_venue_url_pmf gas_anqp_venue_url gas_prot_vs_not_prot gas_anqp_venue_url Signed-off-by: Jouni Malinen --- wpa_supplicant/gas_query.c | 2 +- wpa_supplicant/gas_query.h | 1 + wpa_supplicant/interworking.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/wpa_supplicant/gas_query.c b/wpa_supplicant/gas_query.c index f4f60c58b..8e977a3ec 100644 --- a/wpa_supplicant/gas_query.c +++ b/wpa_supplicant/gas_query.c @@ -272,7 +272,7 @@ static void gas_query_tx_status(struct wpa_supplicant *wpa_s, } -static int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr) +int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr) { if (wpa_s->current_ssid == NULL || wpa_s->wpa_state < WPA_4WAY_HANDSHAKE || diff --git a/wpa_supplicant/gas_query.h b/wpa_supplicant/gas_query.h index 982c0f7ce..d2b455442 100644 --- a/wpa_supplicant/gas_query.h +++ b/wpa_supplicant/gas_query.h @@ -19,6 +19,7 @@ void gas_query_deinit(struct gas_query *gas); int gas_query_rx(struct gas_query *gas, const u8 *da, const u8 *sa, const u8 *bssid, u8 categ, const u8 *data, size_t len, int freq); +int pmf_in_use(struct wpa_supplicant *wpa_s, const u8 *addr); /** * enum gas_query_result - GAS query result diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c index 398700801..396fea6af 100644 --- a/wpa_supplicant/interworking.c +++ b/wpa_supplicant/interworking.c @@ -2983,7 +2983,7 @@ static void interworking_parse_rx_anqp_resp(struct wpa_supplicant *wpa_s, MAC2STR(sa)); anqp_add_extra(wpa_s, anqp, info_id, pos, slen); - if (!wpa_sm_pmf_enabled(wpa_s->wpa)) { + if (!pmf_in_use(wpa_s, sa)) { wpa_printf(MSG_DEBUG, "ANQP: Ignore Venue URL since PMF was not enabled"); break;