OWE: Fix error case handling with drivers that implement AP SME
owe_auth_req_process() can return NULL in error cases, but the caller
was not prepared for this. The p pointer cannot be overridden in such
cases since that would result in buffer length (p - buf) overflows. Fix
this by using a temporary variable to check the return value before
overriding p so that the hostapd_sta_assoc() ends up using correct
length for the IE buffer.
Fixes: 33c8bbd8ca
("OWE: Add AP mode handling of OWE with drivers that implement SME")
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
c23e87d0d1
commit
04ded82efa
1 changed files with 9 additions and 4 deletions
|
@ -526,10 +526,15 @@ skip_wpa_check:
|
|||
if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
|
||||
wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
|
||||
elems.owe_dh) {
|
||||
p = owe_auth_req_process(hapd, sta,
|
||||
elems.owe_dh, elems.owe_dh_len,
|
||||
p, &reason);
|
||||
if (!p || reason != WLAN_STATUS_SUCCESS)
|
||||
u8 *npos;
|
||||
|
||||
npos = owe_auth_req_process(hapd, sta,
|
||||
elems.owe_dh, elems.owe_dh_len,
|
||||
p, &reason);
|
||||
if (!npos)
|
||||
goto fail;
|
||||
p = npos;
|
||||
if (reason != WLAN_STATUS_SUCCESS)
|
||||
goto fail;
|
||||
}
|
||||
#endif /* CONFIG_OWE */
|
||||
|
|
Loading…
Reference in a new issue