wap_supplicant only gets to "Sending EAPOL-Key 2/4"

Jouni Malinen jkmaline at cc.hut.fi
Sun Sep 12 14:57:10 EDT 2004 

On Sun, Sep 12, 2004 at 11:40:06AM -0700, Jouni Malinen wrote:
> On Sun, Sep 12, 2004 at 01:19:58PM -0400, Matt McHenry wrote:
> > WPA: Own WPA IE - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 f2 02
> > 01 00 00 
> > 50 f2 02 01 00 00 50 f2 02
> 
> > Wireless event: cmd=0x8c02 len=159
> > Custom wireless event:
> > 'ASSOCINFO(ReqIEs=00084d617474546f6279010882848b9624b0486
> > c32048c129860dd050010180100dd160050f20101000050f2
> > RespIEs=010482848b9632088c1298
> > 24b048606c)'

> That ReqIEs string looks truncated. The last information element,
> dd160050f20101000050f2, has only 9 bytes of data (0050..f2) even though
> its length field indicates that there should be 22 bytes. In other
> words, it looks like the driver (NDIS or ndiswrapper) has truncated the
> data. Based on this, I would direct this to ndiswrapper mailing lists.
> However, thanks for reporting this here, since this also showed a bug in
> wpa_supplicant: it should reject that kind of ReqIEs report and complain
> loadly about it.

I fixed this now in wpa_supplicant. I would appreciate it if you test
the fix with your current setup that can generate this truncated IEs. In
theory, this fix could even be enough to workaround the problem since
wpa_supplicant tries to generate WPA IE itself when the driver does not
report one. If the IEs match, the AP should allow authentication to
continue.

You can either get the fix for wpa_supplicant by downloading the latest
CVS snapshot of the development version from http://hostap.epitest.fi/
or by applying the attached patch to the version you are using.

-- 
Jouni Malinen                                            PGP id EFC895FA
-------------- next part --------------
Index: wpa_supplicant.c
===================================================================
RCS file: /home/jm/cvsroot/hostap/wpa_supplicant/wpa_supplicant.c,v
retrieving revision 1.147
diff -u -p -r1.147 wpa_supplicant.c
--- wpa_supplicant.c	8 Sep 2004 03:37:28 -0000	1.147
+++ wpa_supplicant.c	12 Sep 2004 18:50:38 -0000
@@ -666,14 +666,19 @@ void wpa_supplicant_event(struct wpa_sup
 		p = data->assoc_info.req_ies;
 		l = data->assoc_info.req_ies_len;
 
-		/* Go through the IEs and make a copy of the WPA IE, if
+		/* Go through the IEs and make a copy of the WPA/RSN IE, if
 		 * present. */
-		while (l > (2 + 6)) {
+		while (l >= 2) {
 			len = p[1] + 2;
-			if (((p[0] == GENERIC_INFO_ELEM) && (p[1] > 6) &&
+			if (len > l) {
+				wpa_hexdump(MSG_DEBUG, "Truncated IE in "
+					    "assoc_info", p, l);
+				break;
+			}
+			if ((p[0] == GENERIC_INFO_ELEM && p[1] >= 6 &&
 			     (memcmp(&p[2], "\x00\x50\xF2\x01\x01\x00", 6) ==
 			      0)) ||
-			    p[0] == RSN_INFO_ELEM) {
+			    (p[0] == RSN_INFO_ELEM && p[1] >= 2)) {
 				wpa_s->assoc_wpa_ie = malloc(len);
 				if (wpa_s->assoc_wpa_ie == NULL)
 					break;

More information about the HostAP mailing list