SAE: Free password identifier if SAE commit is rejected due to it

Authentication rejection was found when doing fuzz testing even with a
valid SAE commit message when it was sent after a SAE commit message
that included an incorrect password identifier. The test steps for this
are as below:

1. Peer sends an abnormal commit message with incorrect password
   identifier
2. APUT rejects as expected
3. Peer sends a valid commit message
4. APUT rejects again, which is not expected

In step 2, as the abnormal data fakes an empty password identifier
element, it passes sae_is_password_id_elem() checking. Memory is then
allocated for sae->tmp->pw_id. The authentication process then fails
due to no available password with this invalid password identifier.

In step 4, though the peer sends a valid commit message, APUT rejects
this SAE commit again due to no password identifier element (due to that
sae->tmp->pw_id being set), which is not expected.

Free the sae->tmp->pw_id field and set it to NULL when SAE commit
message processing fails due to an unknown password identifier so that
the bogus value is not used as a requirement for any consecutive SAE
commit from the same STA before the STA entry gets cleared.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
This commit is contained in:
Chenming Huang 2024-05-31 07:58:36 +05:30 committed by Jouni Malinen
parent d97b5c6492
commit 761041b18a

View file

@ -1565,6 +1565,14 @@ reply:
auth_transaction, resp, auth_transaction, resp,
data ? wpabuf_head(data) : (u8 *) "", data ? wpabuf_head(data) : (u8 *) "",
data ? wpabuf_len(data) : 0, "auth-sae"); data ? wpabuf_len(data) : 0, "auth-sae");
if (sta->sae && sta->sae->tmp && sta->sae->tmp->pw_id &&
resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER &&
auth_transaction == 1) {
wpa_printf(MSG_DEBUG,
"SAE: Clear stored password identifier since this SAE commit was not accepted");
os_free(sta->sae->tmp->pw_id);
sta->sae->tmp->pw_id = NULL;
}
} }
remove_sta: remove_sta: