git.openwrt.org Git - openwrt/staging/ansuel.git/blob

   1 From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001
   2 From: Jouni Malinen <j@w1.fi>
   3 Date: Tue, 9 Jul 2024 23:34:34 +0300
   4 Subject: [PATCH] SAE: Reject invalid Rejected Groups element in the parser
   5
   6 There is no need to depend on all uses (i.e., both hostapd and
   7 wpa_supplicant) to verify that the length of the Rejected Groups field
   8 in the Rejected Groups element is valid (i.e., a multiple of two octets)
   9 since the common parser can reject the message when detecting this.
  10
  11 Signed-off-by: Jouni Malinen <j@w1.fi>
  12 ---
  13  src/common/sae.c | 6 ++++++
  14  1 file changed, 6 insertions(+)
  15
  16 --- a/src/common/sae.c
  17 +++ b/src/common/sae.c
  18 @@ -2120,6 +2120,12 @@ static int sae_parse_rejected_groups(str
  19                 return WLAN_STATUS_UNSPECIFIED_FAILURE;
  20         epos++; /* skip ext ID */
  21         len--;
  22 +       if (len & 1) {
  23 +               wpa_printf(MSG_DEBUG,
  24 +                          "SAE: Invalid length of the Rejected Groups element payload: %u",
  25 +                          len);
  26 +               return WLAN_STATUS_UNSPECIFIED_FAILURE;
  27 +       }
  28
  29         wpabuf_free(sae->tmp->peer_rejected_groups);
  30         sae->tmp->peer_rejected_groups = wpabuf_alloc(len);