97402887bfe6180cd0dfa8c98e9bd10c55c10c0c
[openwrt/staging/svanheule.git] /
1 From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <j@w1.fi>
3 Date: Sun, 7 Jul 2024 11:46:49 +0300
4 Subject: [PATCH] SAE: Check for invalid Rejected Groups element length
5 explicitly
6
7 Instead of practically ignoring an odd octet at the end of the element,
8 check for such invalid case explicitly. This is needed to avoid a
9 potential group downgrade attack.
10
11 Signed-off-by: Jouni Malinen <j@w1.fi>
12 ---
13 src/ap/ieee802_11.c | 12 ++++++++++--
14 1 file changed, 10 insertions(+), 2 deletions(-)
15
16 --- a/src/ap/ieee802_11.c
17 +++ b/src/ap/ieee802_11.c
18 @@ -1229,7 +1229,7 @@ static int check_sae_rejected_groups(str
19 struct sae_data *sae)
20 {
21 const struct wpabuf *groups;
22 - size_t i, count;
23 + size_t i, count, len;
24 const u8 *pos;
25
26 if (!sae->tmp)
27 @@ -1239,7 +1239,15 @@ static int check_sae_rejected_groups(str
28 return 0;
29
30 pos = wpabuf_head(groups);
31 - count = wpabuf_len(groups) / 2;
32 + len = wpabuf_len(groups);
33 + if (len & 1) {
34 + wpa_printf(MSG_DEBUG,
35 + "SAE: Invalid length of the Rejected Groups element payload: %zu",
36 + len);
37 + return 1;
38 + }
39 +
40 + count = len / 2;
41 for (i = 0; i < count; i++) {
42 int enabled;
43 u16 group;