From 761041b18ab243c28467475145f316e10bd649cf Mon Sep 17 00:00:00 2001 From: Chenming Huang Date: Fri, 31 May 2024 07:58:36 +0530 Subject: [PATCH] SAE: Free password identifier if SAE commit is rejected due to it Authentication rejection was found when doing fuzz testing even with a valid SAE commit message when it was sent after a SAE commit message that included an incorrect password identifier. The test steps for this are as below: 1. Peer sends an abnormal commit message with incorrect password identifier 2. APUT rejects as expected 3. Peer sends a valid commit message 4. APUT rejects again, which is not expected In step 2, as the abnormal data fakes an empty password identifier element, it passes sae_is_password_id_elem() checking. Memory is then allocated for sae->tmp->pw_id. The authentication process then fails due to no available password with this invalid password identifier. In step 4, though the peer sends a valid commit message, APUT rejects this SAE commit again due to no password identifier element (due to that sae->tmp->pw_id being set), which is not expected. Free the sae->tmp->pw_id field and set it to NULL when SAE commit message processing fails due to an unknown password identifier so that the bogus value is not used as a requirement for any consecutive SAE commit from the same STA before the STA entry gets cleared. Signed-off-by: Chenming Huang --- src/ap/ieee802_11.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 6a5137d87..2a771f708 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1565,6 +1565,14 @@ reply: auth_transaction, resp, data ? wpabuf_head(data) : (u8 *) "", data ? wpabuf_len(data) : 0, "auth-sae"); + if (sta->sae && sta->sae->tmp && sta->sae->tmp->pw_id && + resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER && + auth_transaction == 1) { + wpa_printf(MSG_DEBUG, + "SAE: Clear stored password identifier since this SAE commit was not accepted"); + os_free(sta->sae->tmp->pw_id); + sta->sae->tmp->pw_id = NULL; + } } remove_sta: