diff mbox series

[1/2] RSN: Reject invalid GTK KDE length in msg 3/4

Message ID 20260512131558.18020-2-chung-hsien.hsu@infineon.com
State Accepted
Headers show
Series RSN: Validate GTK KDE lengths before msg 4/4 | expand

Commit Message

Chung-Hsien Hsu May 12, 2026, 1:15 p.m. UTC 
Validate the GTK KDE length in EAPOL-Key message 3/4 before transmitting
message 4/4.

The GTK KDE length is already checked when processing the GTK for
installation. However, that validation is reached only after message 4/4
has been transmitted. This allows a malformed message 3/4 with an
invalid GTK KDE length to be acknowledged even though the supplicant
later rejects the GTK and fails the handshake.

Reject message 3/4 before sending message 4/4 if the GTK KDE is too
short to include the GTK KDE header, or if the GTK payload would exceed
the local GTK buffer. Reuse the same helper in the later GTK
installation path to keep the validation rules consistent.

Signed-off-by: R Sanath Kumar <rsanath.kumar@infineon.com>
Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu@infineon.com>
---
 src/rsn_supp/wpa.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 2c5ed11c8189..ecc0eddd45ab 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1398,6 +1398,17 @@  struct wpa_gtk_data {
 };
 
 
+static int wpa_supplicant_validate_gtk_kde_len(size_t gtk_len)
+{
+	struct wpa_gtk_data gd;
+
+	if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
+		return -1;
+
+	return 0;
+}
+
+
 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 				      const struct wpa_gtk_data *gd,
 				      const u8 *key_rsc, int wnm_sleep)
@@ -1668,7 +1679,7 @@  static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
 	wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
 			gtk, gtk_len);
 
-	if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
+	if (wpa_supplicant_validate_gtk_kde_len(gtk_len) < 0)
 		return -1;
 
 	gd.keyidx = gtk[0] & 0x3;
@@ -2892,6 +2903,15 @@  static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 			"WPA: GTK IE in unencrypted key data");
 		goto failed;
 	}
+
+	if (!mlo && ie.gtk &&
+	    wpa_supplicant_validate_gtk_kde_len(ie.gtk_len) < 0) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+			"WPA: Invalid GTK KDE length %lu",
+			(unsigned long) ie.gtk_len);
+		goto failed;
+	}
+
 	if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 			"WPA: IGTK KDE in unencrypted key data");