SAE: Clear peer_rejected_groups when no element is included
When parsing a SAE Commit message, the temporary peer_rejected_groups parameter was left to its old value in cases where the new SAE Commit message did not include the Rejected Groups element. This could result in unexpected behavior if a previously processed SAE Commit message included a Rejected Groups element that claimed one of the enabled groups to be rejected. Explicitly clear the peer_rejected_groups value when parsing an SAE Commit message without a Rejected Groups element to avoid rejecting the new message based on some previously received incorrect information. This avoids some potential denial-of-service issues during the lifetime of the SAE temporary data. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
364c2da874
commit
21fe042815
1 changed files with 7 additions and 1 deletions
|
@ -2103,8 +2103,11 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
|
|||
|
||||
wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
|
||||
*pos, end - *pos);
|
||||
if (!sae_is_rejected_groups_elem(*pos, end))
|
||||
if (!sae_is_rejected_groups_elem(*pos, end)) {
|
||||
wpabuf_free(sae->tmp->peer_rejected_groups);
|
||||
sae->tmp->peer_rejected_groups = NULL;
|
||||
return WLAN_STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
epos = *pos;
|
||||
epos++; /* skip IE type */
|
||||
|
@ -2196,6 +2199,9 @@ u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
|
|||
res = sae_parse_rejected_groups(sae, &pos, end);
|
||||
if (res != WLAN_STATUS_SUCCESS)
|
||||
return res;
|
||||
} else {
|
||||
wpabuf_free(sae->tmp->peer_rejected_groups);
|
||||
sae->tmp->peer_rejected_groups = NULL;
|
||||
}
|
||||
|
||||
/* Optional Anti-Clogging Token Container element */
|
||||
|
|
Loading…
Reference in a new issue