From 035909872bf8faf877418d5fb936a0e1826f7b7d Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapil.gupta@espressif.com>
Date: Tue, 6 Apr 2021 18:08:44 +0530
Subject: [PATCH] wpa_supplicant: Prevent reinstallation of an already in-use
 group key

---
 components/wpa_supplicant/src/common/wpa_common.h |  5 +++++
 components/wpa_supplicant/src/rsn_supp/wpa.c      | 12 ++++++++++++
 components/wpa_supplicant/src/rsn_supp/wpa_i.h    |  1 +
 3 files changed, 18 insertions(+)

diff --git a/components/wpa_supplicant/src/common/wpa_common.h b/components/wpa_supplicant/src/common/wpa_common.h
index 8d6f94c901..734b3457db 100644
--- a/components/wpa_supplicant/src/common/wpa_common.h
+++ b/components/wpa_supplicant/src/common/wpa_common.h
@@ -184,6 +184,11 @@ struct wpa_ptk {
 	} u;
 } STRUCT_PACKED;
 
+struct wpa_gtk {
+	u8 gtk[WPA_GTK_MAX_LEN];
+	size_t gtk_len;
+};
+
 struct wpa_gtk_data {
 	enum wpa_alg alg;
 	int tx, key_rsc_len, keyidx;
diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c
index 58e3a7189e..f2893f2f7c 100644
--- a/components/wpa_supplicant/src/rsn_supp/wpa.c
+++ b/components/wpa_supplicant/src/rsn_supp/wpa.c
@@ -813,11 +813,20 @@ int   wpa_supplicant_install_gtk(struct wpa_sm *sm,
 
     wpa_hexdump(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
 
+    /* Detect possible key reinstallation */
+    if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+        os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
+            wpa_printf(MSG_DEBUG,
+                    "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+                    gd->keyidx, gd->tx, gd->gtk_len);
+            return 0;
+    }
     #ifdef DEBUG_PRINT
     wpa_printf(MSG_DEBUG, "WPA: Installing GTK to the driver "
            "(keyidx=%d tx=%d len=%d).\n", gd->keyidx, gd->tx,
            gd->gtk_len);
     #endif
+
     wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
     if (sm->group_cipher == WPA_CIPHER_TKIP) {
         /* Swap Tx/Rx keys for Michael MIC */
@@ -851,6 +860,9 @@ int   wpa_supplicant_install_gtk(struct wpa_sm *sm,
         return -1;
     }
 
+    sm->gtk.gtk_len = gd->gtk_len;
+    os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
+
     return 0;
 }
 
diff --git a/components/wpa_supplicant/src/rsn_supp/wpa_i.h b/components/wpa_supplicant/src/rsn_supp/wpa_i.h
index 8e39d7bb22..1d7f9d2566 100644
--- a/components/wpa_supplicant/src/rsn_supp/wpa_i.h
+++ b/components/wpa_supplicant/src/rsn_supp/wpa_i.h
@@ -41,6 +41,7 @@ struct wpa_sm {
     u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
     int rx_replay_counter_set;
     u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+    struct wpa_gtk gtk;
     struct rsn_pmksa_cache *pmksa; /* PMKSA cache */
     struct rsn_pmksa_cache_entry *cur_pmksa; /* current PMKSA entry */