SAE: Clear peer_rejected_groups when no element is included

When parsing a SAE Commit message, the temporary peer_rejected_groups
parameter was left to its old value in cases where the new SAE Commit
message did not include the Rejected Groups element. This could result
in unexpected behavior if a previously processed SAE Commit message
included a Rejected Groups element that claimed one of the enabled
groups to be rejected.

Explicitly clear the peer_rejected_groups value when parsing an SAE
Commit message without a Rejected Groups element to avoid rejecting the
new message based on some previously received incorrect information.
This avoids some potential denial-of-service issues during the lifetime
of the SAE temporary data.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/common/sae.c

@@ -2103,8 +2103,11 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
 
 	wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
 		    *pos, end - *pos);
-	if (!sae_is_rejected_groups_elem(*pos, end))
+	if (!sae_is_rejected_groups_elem(*pos, end)) {
+		wpabuf_free(sae->tmp->peer_rejected_groups);
+		sae->tmp->peer_rejected_groups = NULL;
 		return WLAN_STATUS_SUCCESS;
+	}
 
 	epos = *pos;
 	epos++; /* skip IE type */
@@ -2196,6 +2199,9 @@ u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
 		res = sae_parse_rejected_groups(sae, &pos, end);
 		if (res != WLAN_STATUS_SUCCESS)
 			return res;
+	} else {
+		wpabuf_free(sae->tmp->peer_rejected_groups);
+		sae->tmp->peer_rejected_groups = NULL;
 	}
 
 	/* Optional Anti-Clogging Token Container element */