From bac000667cfe0956ee2c7fe5e36184d94fd44ac2 Mon Sep 17 00:00:00 2001 From: jsteube Date: Tue, 19 Sep 2017 12:01:11 +0200 Subject: [PATCH] Fix wpa_parse_hash(), the wpa esalt was partially initialized beforehand, we can not simply memset it to zero --- src/interface.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/interface.c b/src/interface.c index 9a2dc5cd9..3311eddb8 100644 --- a/src/interface.c +++ b/src/interface.c @@ -3268,7 +3268,7 @@ int wpa_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED wpa_t *wpa = (wpa_t *) hash_buf->esalt; - memset (wpa, 0, sizeof (wpa_t)); + // the *wpa was partially initialized beforehand, we can not simply memset it to zero hccapx_t in; @@ -3307,8 +3307,12 @@ int wpa_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED wpa->keyver = in.keyver; + if ((wpa->keyver != 1) && (wpa->keyver != 2) && (wpa->keyver != 3)) return (PARSER_SALT_VALUE); + u8 *pke_ptr = (u8 *) wpa->pke; + memset (pke_ptr, 0, 128); + if ((wpa->keyver == 1) || (wpa->keyver == 2)) { memcpy (pke_ptr, "Pairwise key expansion", 23); @@ -3393,14 +3397,14 @@ int wpa_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED wpa->message_pair = message_pair_orig; - if ((wpa->keyver != 1) && (wpa->keyver != 2) && (wpa->keyver != 3)) return (PARSER_SALT_VALUE); - wpa->eapol_len = in.eapol_len; u8 *eapol_ptr = (u8 *) wpa->eapol; memcpy (eapol_ptr, in.eapol, wpa->eapol_len); + memset (eapol_ptr + wpa->eapol_len, 0, (256 + 64) - wpa->eapol_len); + eapol_ptr[wpa->eapol_len] = 0x80; if (wpa->keyver == 1)