[PATCH] ap: reflect status code in SAE reflection attack

Thomas Pedersen thomas at adapt-ip.com
Tue Aug 25 11:48:06 EDT 2020

When testing SAE reflection, the incoming commit may have
the H2E status code (0x7e), but the AP was always sending
back status code 0. The STA would then reject the commit
response due to expecting H2E status code.

Just reflect the incoming status code so the commit can be
rejected based on the SAE contents.

Signed-off-by: Thomas Pedersen <thomas at adapt-ip.com>
 src/ap/ieee802_11.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index c98e77103106..f9b9f3f82b46 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1241,6 +1241,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 		wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
 		pos = mgmt->u.auth.variable;
 		end = ((const u8 *) mgmt) + len;
+		resp = status_code;
 		send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
 				auth_transaction, resp, pos, end - pos,

More information about the Hostap mailing list