8d88a4aa13ac16e993eab21dae4f84de2bb1a62e
[openwrt/staging/wigyori.git] /
1 From 593a7c2f8c93edd6b552f2d42e28164464b4e6ff Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Tue, 9 Jul 2024 23:33:38 +0300
4 Subject: [PATCH] SAE: Check for invalid Rejected Groups element length
5 explicitly on STA
6
7 Instead of practically ignoring an odd octet at the end of the element,
8 check for such invalid case explicitly. This is needed to avoid a
9 potential group downgrade attack.
10
11 Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")
12 Signed-off-by: Jouni Malinen <j@w1.fi>
13 ---
14 wpa_supplicant/sme.c | 11 +++++++++--
15 1 file changed, 9 insertions(+), 2 deletions(-)
16
17 --- a/wpa_supplicant/sme.c
18 +++ b/wpa_supplicant/sme.c
19 @@ -1561,14 +1561,21 @@ static int sme_sae_is_group_enabled(stru
20 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
21 const struct wpabuf *groups)
22 {
23 - size_t i, count;
24 + size_t i, count, len;
25 const u8 *pos;
26
27 if (!groups)
28 return 0;
29
30 pos = wpabuf_head(groups);
31 - count = wpabuf_len(groups) / 2;
32 + len = wpabuf_len(groups);
33 + if (len & 1) {
34 + wpa_printf(MSG_DEBUG,
35 + "SAE: Invalid length of the Rejected Groups element payload: %zu",
36 + len);
37 + return 1;
38 + }
39 + count = len / 2;
40 for (i = 0; i < count; i++) {
41 int enabled;
42 u16 group;