DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

SAE: Check for invalid Rejected Groups element length explicitly on STA

Browse source 
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Fixes: 444d76f74f ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2024-07-09 23:33:38 +03:00
parent 5f98c853e4
commit 593a7c2f8c
1 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
wpa_supplicant/sme.c
View file

@ -1570,14 +1570,21 @@ static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group)
static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
const struct wpabuf *groups)
{
size_t i, count;
size_t i, count, len;
const u8 *pos;
if (!groups)
return 0;
pos = wpabuf_head(groups);
count = wpabuf_len(groups) / 2;
len = wpabuf_len(groups);
if (len & 1) {
wpa_printf(MSG_DEBUG,
"SAE: Invalid length of the Rejected Groups element payload: %zu",
len);
return 1;
}
count = len / 2;
for (i = 0; i < count; i++) {
int enabled;
u16 group;