1 /*
2  * Wi-Fi Protected Setup - attribute parsing
3  * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "wps_defs.h"
13 #include "wps_attr_parse.h"
14 
15 #ifndef CONFIG_WPS_STRICT
16 #define WPS_WORKAROUNDS
17 #endif /* CONFIG_WPS_STRICT */
18 
19 
wps_set_vendor_ext_wfa_subelem(struct wps_parse_attr * attr,u8 id,u8 len,const u8 * pos)20 static int wps_set_vendor_ext_wfa_subelem(struct wps_parse_attr *attr,
21 					  u8 id, u8 len, const u8 *pos)
22 {
23 	wpa_printf(MSG_EXCESSIVE, "WPS: WFA subelement id=%u len=%u",
24 		   id, len);
25 	switch (id) {
26 	case WFA_ELEM_VERSION2:
27 		if (len != 1) {
28 			wpa_printf(MSG_DEBUG, "WPS: Invalid Version2 length "
29 				   "%u", len);
30 			return -1;
31 		}
32 		attr->version2 = pos;
33 		break;
34 	case WFA_ELEM_AUTHORIZEDMACS:
35 		attr->authorized_macs = pos;
36 		attr->authorized_macs_len = len;
37 		break;
38 	case WFA_ELEM_NETWORK_KEY_SHAREABLE:
39 		if (len != 1) {
40 			wpa_printf(MSG_DEBUG, "WPS: Invalid Network Key "
41 				   "Shareable length %u", len);
42 			return -1;
43 		}
44 		attr->network_key_shareable = pos;
45 		break;
46 	case WFA_ELEM_REQUEST_TO_ENROLL:
47 		if (len != 1) {
48 			wpa_printf(MSG_DEBUG, "WPS: Invalid Request to Enroll "
49 				   "length %u", len);
50 			return -1;
51 		}
52 		attr->request_to_enroll = pos;
53 		break;
54 	case WFA_ELEM_SETTINGS_DELAY_TIME:
55 		if (len != 1) {
56 			wpa_printf(MSG_DEBUG, "WPS: Invalid Settings Delay "
57 				   "Time length %u", len);
58 			return -1;
59 		}
60 		attr->settings_delay_time = pos;
61 		break;
62 	case WFA_ELEM_REGISTRAR_CONFIGURATION_METHODS:
63 		if (len != 2) {
64 			wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Configuration Methods length %u",
65 				   len);
66 			return -1;
67 		}
68 		attr->registrar_configuration_methods = pos;
69 		break;
70 	case WFA_ELEM_MULTI_AP:
71 		if (len != 1) {
72 			wpa_printf(MSG_DEBUG,
73 				   "WPS: Invalid Multi-AP Extension length %u",
74 				   len);
75 			return -1;
76 		}
77 		attr->multi_ap_ext = *pos;
78 		wpa_printf(MSG_DEBUG, "WPS: Multi-AP Extension 0x%02x",
79 			   attr->multi_ap_ext);
80 		break;
81 	default:
82 		wpa_printf(MSG_MSGDUMP, "WPS: Skipped unknown WFA Vendor "
83 			   "Extension subelement %u", id);
84 		break;
85 	}
86 
87 	return 0;
88 }
89 
90 
wps_parse_vendor_ext_wfa(struct wps_parse_attr * attr,const u8 * pos,u16 len)91 static int wps_parse_vendor_ext_wfa(struct wps_parse_attr *attr, const u8 *pos,
92 				    u16 len)
93 {
94 	const u8 *end = pos + len;
95 	u8 id, elen;
96 
97 	while (end - pos >= 2) {
98 		id = *pos++;
99 		elen = *pos++;
100 		if (elen > end - pos)
101 			break;
102 		if (wps_set_vendor_ext_wfa_subelem(attr, id, elen, pos) < 0)
103 			return -1;
104 		pos += elen;
105 	}
106 
107 	return 0;
108 }
109 
110 
wps_parse_vendor_ext(struct wps_parse_attr * attr,const u8 * pos,u16 len)111 static int wps_parse_vendor_ext(struct wps_parse_attr *attr, const u8 *pos,
112 				u16 len)
113 {
114 	u32 vendor_id;
115 
116 	if (len < 3) {
117 		wpa_printf(MSG_DEBUG, "WPS: Skip invalid Vendor Extension");
118 		return 0;
119 	}
120 
121 	vendor_id = WPA_GET_BE24(pos);
122 	switch (vendor_id) {
123 	case WPS_VENDOR_ID_WFA:
124 		return wps_parse_vendor_ext_wfa(attr, pos + 3, len - 3);
125 	}
126 
127 	/* Handle unknown vendor extensions */
128 
129 	wpa_printf(MSG_MSGDUMP, "WPS: Unknown Vendor Extension (Vendor ID %u)",
130 		   vendor_id);
131 
132 	if (len > WPS_MAX_VENDOR_EXT_LEN) {
133 		wpa_printf(MSG_DEBUG, "WPS: Too long Vendor Extension (%u)",
134 			   len);
135 		return -1;
136 	}
137 
138 	if (attr->num_vendor_ext >= MAX_WPS_PARSE_VENDOR_EXT) {
139 		wpa_printf(MSG_DEBUG, "WPS: Skipped Vendor Extension "
140 			   "attribute (max %d vendor extensions)",
141 			   MAX_WPS_PARSE_VENDOR_EXT);
142 		return -1;
143 	}
144 	attr->vendor_ext[attr->num_vendor_ext] = pos;
145 	attr->vendor_ext_len[attr->num_vendor_ext] = len;
146 	attr->num_vendor_ext++;
147 
148 	return 0;
149 }
150 
151 
wps_set_attr(struct wps_parse_attr * attr,u16 type,const u8 * pos,u16 len)152 static int wps_set_attr(struct wps_parse_attr *attr, u16 type,
153 			const u8 *pos, u16 len)
154 {
155 	switch (type) {
156 	case ATTR_VERSION:
157 		if (len != 1) {
158 			wpa_printf(MSG_DEBUG, "WPS: Invalid Version length %u",
159 				   len);
160 			return -1;
161 		}
162 		attr->version = pos;
163 		break;
164 	case ATTR_MSG_TYPE:
165 		if (len != 1) {
166 			wpa_printf(MSG_DEBUG, "WPS: Invalid Message Type "
167 				   "length %u", len);
168 			return -1;
169 		}
170 		attr->msg_type = pos;
171 		break;
172 	case ATTR_ENROLLEE_NONCE:
173 		if (len != WPS_NONCE_LEN) {
174 			wpa_printf(MSG_DEBUG, "WPS: Invalid Enrollee Nonce "
175 				   "length %u", len);
176 			return -1;
177 		}
178 		attr->enrollee_nonce = pos;
179 		break;
180 	case ATTR_REGISTRAR_NONCE:
181 		if (len != WPS_NONCE_LEN) {
182 			wpa_printf(MSG_DEBUG, "WPS: Invalid Registrar Nonce "
183 				   "length %u", len);
184 			return -1;
185 		}
186 		attr->registrar_nonce = pos;
187 		break;
188 	case ATTR_UUID_E:
189 		if (len != WPS_UUID_LEN) {
190 			wpa_printf(MSG_DEBUG, "WPS: Invalid UUID-E length %u",
191 				   len);
192 			return -1;
193 		}
194 		attr->uuid_e = pos;
195 		break;
196 	case ATTR_UUID_R:
197 		if (len != WPS_UUID_LEN) {
198 			wpa_printf(MSG_DEBUG, "WPS: Invalid UUID-R length %u",
199 				   len);
200 			return -1;
201 		}
202 		attr->uuid_r = pos;
203 		break;
204 	case ATTR_AUTH_TYPE_FLAGS:
205 		if (len != 2) {
206 			wpa_printf(MSG_DEBUG, "WPS: Invalid Authentication "
207 				   "Type Flags length %u", len);
208 			return -1;
209 		}
210 		attr->auth_type_flags = pos;
211 		break;
212 	case ATTR_ENCR_TYPE_FLAGS:
213 		if (len != 2) {
214 			wpa_printf(MSG_DEBUG, "WPS: Invalid Encryption Type "
215 				   "Flags length %u", len);
216 			return -1;
217 		}
218 		attr->encr_type_flags = pos;
219 		break;
220 	case ATTR_CONN_TYPE_FLAGS:
221 		if (len != 1) {
222 			wpa_printf(MSG_DEBUG, "WPS: Invalid Connection Type "
223 				   "Flags length %u", len);
224 			return -1;
225 		}
226 		attr->conn_type_flags = pos;
227 		break;
228 	case ATTR_CONFIG_METHODS:
229 		if (len != 2) {
230 			wpa_printf(MSG_DEBUG, "WPS: Invalid Config Methods "
231 				   "length %u", len);
232 			return -1;
233 		}
234 		attr->config_methods = pos;
235 		break;
236 	case ATTR_SELECTED_REGISTRAR_CONFIG_METHODS:
237 		if (len != 2) {
238 			wpa_printf(MSG_DEBUG, "WPS: Invalid Selected "
239 				   "Registrar Config Methods length %u", len);
240 			return -1;
241 		}
242 		attr->sel_reg_config_methods = pos;
243 		break;
244 	case ATTR_PRIMARY_DEV_TYPE:
245 		if (len != WPS_DEV_TYPE_LEN) {
246 			wpa_printf(MSG_DEBUG, "WPS: Invalid Primary Device "
247 				   "Type length %u", len);
248 			return -1;
249 		}
250 		attr->primary_dev_type = pos;
251 		break;
252 	case ATTR_RF_BANDS:
253 		if (len != 1) {
254 			wpa_printf(MSG_DEBUG, "WPS: Invalid RF Bands length "
255 				   "%u", len);
256 			return -1;
257 		}
258 		attr->rf_bands = pos;
259 		break;
260 	case ATTR_ASSOC_STATE:
261 		if (len != 2) {
262 			wpa_printf(MSG_DEBUG, "WPS: Invalid Association State "
263 				   "length %u", len);
264 			return -1;
265 		}
266 		attr->assoc_state = pos;
267 		break;
268 	case ATTR_CONFIG_ERROR:
269 		if (len != 2) {
270 			wpa_printf(MSG_DEBUG, "WPS: Invalid Configuration "
271 				   "Error length %u", len);
272 			return -1;
273 		}
274 		attr->config_error = pos;
275 		break;
276 	case ATTR_DEV_PASSWORD_ID:
277 		if (len != 2) {
278 			wpa_printf(MSG_DEBUG, "WPS: Invalid Device Password "
279 				   "ID length %u", len);
280 			return -1;
281 		}
282 		attr->dev_password_id = pos;
283 		break;
284 	case ATTR_OOB_DEVICE_PASSWORD:
285 		if (len < WPS_OOB_PUBKEY_HASH_LEN + 2 ||
286 		    len > WPS_OOB_PUBKEY_HASH_LEN + 2 +
287 		    WPS_OOB_DEVICE_PASSWORD_LEN ||
288 		    (len < WPS_OOB_PUBKEY_HASH_LEN + 2 +
289 		     WPS_OOB_DEVICE_PASSWORD_MIN_LEN &&
290 		     WPA_GET_BE16(pos + WPS_OOB_PUBKEY_HASH_LEN) !=
291 		     DEV_PW_NFC_CONNECTION_HANDOVER)) {
292 			wpa_printf(MSG_DEBUG, "WPS: Invalid OOB Device "
293 				   "Password length %u", len);
294 			return -1;
295 		}
296 		attr->oob_dev_password = pos;
297 		attr->oob_dev_password_len = len;
298 		break;
299 	case ATTR_OS_VERSION:
300 		if (len != 4) {
301 			wpa_printf(MSG_DEBUG, "WPS: Invalid OS Version length "
302 				   "%u", len);
303 			return -1;
304 		}
305 		attr->os_version = pos;
306 		break;
307 	case ATTR_WPS_STATE:
308 		if (len != 1) {
309 			wpa_printf(MSG_DEBUG, "WPS: Invalid Wi-Fi Protected "
310 				   "Setup State length %u", len);
311 			return -1;
312 		}
313 		attr->wps_state = pos;
314 		break;
315 	case ATTR_AUTHENTICATOR:
316 		if (len != WPS_AUTHENTICATOR_LEN) {
317 			wpa_printf(MSG_DEBUG, "WPS: Invalid Authenticator "
318 				   "length %u", len);
319 			return -1;
320 		}
321 		attr->authenticator = pos;
322 		break;
323 	case ATTR_R_HASH1:
324 		if (len != WPS_HASH_LEN) {
325 			wpa_printf(MSG_DEBUG, "WPS: Invalid R-Hash1 length %u",
326 				   len);
327 			return -1;
328 		}
329 		attr->r_hash1 = pos;
330 		break;
331 	case ATTR_R_HASH2:
332 		if (len != WPS_HASH_LEN) {
333 			wpa_printf(MSG_DEBUG, "WPS: Invalid R-Hash2 length %u",
334 				   len);
335 			return -1;
336 		}
337 		attr->r_hash2 = pos;
338 		break;
339 	case ATTR_E_HASH1:
340 		if (len != WPS_HASH_LEN) {
341 			wpa_printf(MSG_DEBUG, "WPS: Invalid E-Hash1 length %u",
342 				   len);
343 			return -1;
344 		}
345 		attr->e_hash1 = pos;
346 		break;
347 	case ATTR_E_HASH2:
348 		if (len != WPS_HASH_LEN) {
349 			wpa_printf(MSG_DEBUG, "WPS: Invalid E-Hash2 length %u",
350 				   len);
351 			return -1;
352 		}
353 		attr->e_hash2 = pos;
354 		break;
355 	case ATTR_R_SNONCE1:
356 		if (len != WPS_SECRET_NONCE_LEN) {
357 			wpa_printf(MSG_DEBUG, "WPS: Invalid R-SNonce1 length "
358 				   "%u", len);
359 			return -1;
360 		}
361 		attr->r_snonce1 = pos;
362 		break;
363 	case ATTR_R_SNONCE2:
364 		if (len != WPS_SECRET_NONCE_LEN) {
365 			wpa_printf(MSG_DEBUG, "WPS: Invalid R-SNonce2 length "
366 				   "%u", len);
367 			return -1;
368 		}
369 		attr->r_snonce2 = pos;
370 		break;
371 	case ATTR_E_SNONCE1:
372 		if (len != WPS_SECRET_NONCE_LEN) {
373 			wpa_printf(MSG_DEBUG, "WPS: Invalid E-SNonce1 length "
374 				   "%u", len);
375 			return -1;
376 		}
377 		attr->e_snonce1 = pos;
378 		break;
379 	case ATTR_E_SNONCE2:
380 		if (len != WPS_SECRET_NONCE_LEN) {
381 			wpa_printf(MSG_DEBUG, "WPS: Invalid E-SNonce2 length "
382 				   "%u", len);
383 			return -1;
384 		}
385 		attr->e_snonce2 = pos;
386 		break;
387 	case ATTR_KEY_WRAP_AUTH:
388 		if (len != WPS_KWA_LEN) {
389 			wpa_printf(MSG_DEBUG, "WPS: Invalid Key Wrap "
390 				   "Authenticator length %u", len);
391 			return -1;
392 		}
393 		attr->key_wrap_auth = pos;
394 		break;
395 	case ATTR_AUTH_TYPE:
396 		if (len != 2) {
397 			wpa_printf(MSG_DEBUG, "WPS: Invalid Authentication "
398 				   "Type length %u", len);
399 			return -1;
400 		}
401 		attr->auth_type = pos;
402 		break;
403 	case ATTR_ENCR_TYPE:
404 		if (len != 2) {
405 			wpa_printf(MSG_DEBUG, "WPS: Invalid Encryption "
406 				   "Type length %u", len);
407 			return -1;
408 		}
409 		attr->encr_type = pos;
410 		break;
411 	case ATTR_NETWORK_INDEX:
412 		if (len != 1) {
413 			wpa_printf(MSG_DEBUG, "WPS: Invalid Network Index "
414 				   "length %u", len);
415 			return -1;
416 		}
417 		attr->network_idx = pos;
418 		break;
419 	case ATTR_NETWORK_KEY_INDEX:
420 		if (len != 1) {
421 			wpa_printf(MSG_DEBUG, "WPS: Invalid Network Key Index "
422 				   "length %u", len);
423 			return -1;
424 		}
425 		attr->network_key_idx = pos;
426 		break;
427 	case ATTR_MAC_ADDR:
428 		if (len != ETH_ALEN) {
429 			wpa_printf(MSG_DEBUG, "WPS: Invalid MAC Address "
430 				   "length %u", len);
431 			return -1;
432 		}
433 		attr->mac_addr = pos;
434 		break;
435 	case ATTR_SELECTED_REGISTRAR:
436 		if (len != 1) {
437 			wpa_printf(MSG_DEBUG, "WPS: Invalid Selected Registrar"
438 				   " length %u", len);
439 			return -1;
440 		}
441 		attr->selected_registrar = pos;
442 		break;
443 	case ATTR_REQUEST_TYPE:
444 		if (len != 1) {
445 			wpa_printf(MSG_DEBUG, "WPS: Invalid Request Type "
446 				   "length %u", len);
447 			return -1;
448 		}
449 		attr->request_type = pos;
450 		break;
451 	case ATTR_RESPONSE_TYPE:
452 		if (len != 1) {
453 			wpa_printf(MSG_DEBUG, "WPS: Invalid Response Type "
454 				   "length %u", len);
455 			return -1;
456 		}
457 		attr->response_type = pos;
458 		break;
459 	case ATTR_MANUFACTURER:
460 		attr->manufacturer = pos;
461 		if (len > WPS_MANUFACTURER_MAX_LEN)
462 			attr->manufacturer_len = WPS_MANUFACTURER_MAX_LEN;
463 		else
464 			attr->manufacturer_len = len;
465 		break;
466 	case ATTR_MODEL_NAME:
467 		attr->model_name = pos;
468 		if (len > WPS_MODEL_NAME_MAX_LEN)
469 			attr->model_name_len = WPS_MODEL_NAME_MAX_LEN;
470 		else
471 			attr->model_name_len = len;
472 		break;
473 	case ATTR_MODEL_NUMBER:
474 		attr->model_number = pos;
475 		if (len > WPS_MODEL_NUMBER_MAX_LEN)
476 			attr->model_number_len = WPS_MODEL_NUMBER_MAX_LEN;
477 		else
478 			attr->model_number_len = len;
479 		break;
480 	case ATTR_SERIAL_NUMBER:
481 		attr->serial_number = pos;
482 		if (len > WPS_SERIAL_NUMBER_MAX_LEN)
483 			attr->serial_number_len = WPS_SERIAL_NUMBER_MAX_LEN;
484 		else
485 			attr->serial_number_len = len;
486 		break;
487 	case ATTR_DEV_NAME:
488 		if (len > WPS_DEV_NAME_MAX_LEN) {
489 			wpa_printf(MSG_DEBUG,
490 				   "WPS: Ignore too long Device Name (len=%u)",
491 				   len);
492 			break;
493 		}
494 		attr->dev_name = pos;
495 		attr->dev_name_len = len;
496 		break;
497 	case ATTR_PUBLIC_KEY:
498 		/*
499 		 * The Public Key attribute is supposed to be exactly 192 bytes
500 		 * in length. Allow couple of bytes shorter one to try to
501 		 * interoperate with implementations that do not use proper
502 		 * zero-padding.
503 		 */
504 		if (len < 190 || len > 192) {
505 			wpa_printf(MSG_DEBUG,
506 				   "WPS: Ignore Public Key with unexpected length %u",
507 				   len);
508 			break;
509 		}
510 		attr->public_key = pos;
511 		attr->public_key_len = len;
512 		break;
513 	case ATTR_ENCR_SETTINGS:
514 		attr->encr_settings = pos;
515 		attr->encr_settings_len = len;
516 		break;
517 	case ATTR_CRED:
518 		if (attr->num_cred >= MAX_CRED_COUNT) {
519 			wpa_printf(MSG_DEBUG, "WPS: Skipped Credential "
520 				   "attribute (max %d credentials)",
521 				   MAX_CRED_COUNT);
522 			break;
523 		}
524 		attr->cred[attr->num_cred] = pos;
525 		attr->cred_len[attr->num_cred] = len;
526 		attr->num_cred++;
527 		break;
528 	case ATTR_SSID:
529 		if (len > SSID_MAX_LEN) {
530 			wpa_printf(MSG_DEBUG,
531 				   "WPS: Ignore too long SSID (len=%u)", len);
532 			break;
533 		}
534 		attr->ssid = pos;
535 		attr->ssid_len = len;
536 		break;
537 	case ATTR_NETWORK_KEY:
538 		attr->network_key = pos;
539 		attr->network_key_len = len;
540 		break;
541 	case ATTR_AP_SETUP_LOCKED:
542 		if (len != 1) {
543 			wpa_printf(MSG_DEBUG, "WPS: Invalid AP Setup Locked "
544 				   "length %u", len);
545 			return -1;
546 		}
547 		attr->ap_setup_locked = pos;
548 		break;
549 	case ATTR_REQUESTED_DEV_TYPE:
550 		if (len != WPS_DEV_TYPE_LEN) {
551 			wpa_printf(MSG_DEBUG, "WPS: Invalid Requested Device "
552 				   "Type length %u", len);
553 			return -1;
554 		}
555 		if (attr->num_req_dev_type >= MAX_REQ_DEV_TYPE_COUNT) {
556 			wpa_printf(MSG_DEBUG, "WPS: Skipped Requested Device "
557 				   "Type attribute (max %u types)",
558 				   MAX_REQ_DEV_TYPE_COUNT);
559 			break;
560 		}
561 		attr->req_dev_type[attr->num_req_dev_type] = pos;
562 		attr->num_req_dev_type++;
563 		break;
564 	case ATTR_SECONDARY_DEV_TYPE_LIST:
565 		if (len > WPS_SEC_DEV_TYPE_MAX_LEN ||
566 		    (len % WPS_DEV_TYPE_LEN) > 0) {
567 			wpa_printf(MSG_DEBUG, "WPS: Invalid Secondary Device "
568 				   "Type length %u", len);
569 			return -1;
570 		}
571 		attr->sec_dev_type_list = pos;
572 		attr->sec_dev_type_list_len = len;
573 		break;
574 	case ATTR_VENDOR_EXT:
575 		if (wps_parse_vendor_ext(attr, pos, len) < 0)
576 			return -1;
577 		break;
578 	case ATTR_AP_CHANNEL:
579 		if (len != 2) {
580 			wpa_printf(MSG_DEBUG, "WPS: Invalid AP Channel "
581 				   "length %u", len);
582 			return -1;
583 		}
584 		attr->ap_channel = pos;
585 		break;
586 	default:
587 		wpa_printf(MSG_DEBUG, "WPS: Unsupported attribute type 0x%x "
588 			   "len=%u", type, len);
589 		break;
590 	}
591 
592 	return 0;
593 }
594 
595 
wps_parse_msg(const struct wpabuf * msg,struct wps_parse_attr * attr)596 int wps_parse_msg(const struct wpabuf *msg, struct wps_parse_attr *attr)
597 {
598 	const u8 *pos, *end;
599 	u16 type, len;
600 #ifdef WPS_WORKAROUNDS
601 	u16 prev_type = 0;
602 #endif /* WPS_WORKAROUNDS */
603 
604 	os_memset(attr, 0, sizeof(*attr));
605 	pos = wpabuf_head(msg);
606 	end = pos + wpabuf_len(msg);
607 
608 	while (pos < end) {
609 		if (end - pos < 4) {
610 			wpa_printf(MSG_DEBUG, "WPS: Invalid message - "
611 				   "%lu bytes remaining",
612 				   (unsigned long) (end - pos));
613 			return -1;
614 		}
615 
616 		type = WPA_GET_BE16(pos);
617 		pos += 2;
618 		len = WPA_GET_BE16(pos);
619 		pos += 2;
620 		wpa_printf(MSG_EXCESSIVE, "WPS: attr type=0x%x len=%u",
621 			   type, len);
622 		if (len > end - pos) {
623 			wpa_printf(MSG_DEBUG, "WPS: Attribute overflow");
624 			wpa_hexdump_buf(MSG_MSGDUMP, "WPS: Message data", msg);
625 #ifdef WPS_WORKAROUNDS
626 			/*
627 			 * Some deployed APs seem to have a bug in encoding of
628 			 * Network Key attribute in the Credential attribute
629 			 * where they add an extra octet after the Network Key
630 			 * attribute at least when open network is being
631 			 * provisioned.
632 			 */
633 			if ((type & 0xff00) != 0x1000 &&
634 			    prev_type == ATTR_NETWORK_KEY) {
635 				wpa_printf(MSG_DEBUG, "WPS: Workaround - try "
636 					   "to skip unexpected octet after "
637 					   "Network Key");
638 				pos -= 3;
639 				continue;
640 			}
641 #endif /* WPS_WORKAROUNDS */
642 			return -1;
643 		}
644 
645 #ifdef WPS_WORKAROUNDS
646 		if (type == 0 && len == 0) {
647 			/*
648 			 * Mac OS X 10.6 seems to be adding 0x00 padding to the
649 			 * end of M1. Skip those to avoid interop issues.
650 			 */
651 			int i;
652 			for (i = 0; i < end - pos; i++) {
653 				if (pos[i])
654 					break;
655 			}
656 			if (i == end - pos) {
657 				wpa_printf(MSG_DEBUG, "WPS: Workaround - skip "
658 					   "unexpected message padding");
659 				break;
660 			}
661 		}
662 #endif /* WPS_WORKAROUNDS */
663 
664 		if (wps_set_attr(attr, type, pos, len) < 0)
665 			return -1;
666 
667 #ifdef WPS_WORKAROUNDS
668 		prev_type = type;
669 #endif /* WPS_WORKAROUNDS */
670 		pos += len;
671 	}
672 
673 	return 0;
674 }
675