SAE: Free password identifier if SAE commit is rejected due to it
Authentication rejection was found when doing fuzz testing even with a valid SAE commit message when it was sent after a SAE commit message that included an incorrect password identifier. The test steps for this are as below: 1. Peer sends an abnormal commit message with incorrect password identifier 2. APUT rejects as expected 3. Peer sends a valid commit message 4. APUT rejects again, which is not expected In step 2, as the abnormal data fakes an empty password identifier element, it passes sae_is_password_id_elem() checking. Memory is then allocated for sae->tmp->pw_id. The authentication process then fails due to no available password with this invalid password identifier. In step 4, though the peer sends a valid commit message, APUT rejects this SAE commit again due to no password identifier element (due to that sae->tmp->pw_id being set), which is not expected. Free the sae->tmp->pw_id field and set it to NULL when SAE commit message processing fails due to an unknown password identifier so that the bogus value is not used as a requirement for any consecutive SAE commit from the same STA before the STA entry gets cleared. Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
This commit is contained in:
parent
d97b5c6492
commit
761041b18a
1 changed files with 8 additions and 0 deletions
|
@ -1565,6 +1565,14 @@ reply:
|
|||
auth_transaction, resp,
|
||||
data ? wpabuf_head(data) : (u8 *) "",
|
||||
data ? wpabuf_len(data) : 0, "auth-sae");
|
||||
if (sta->sae && sta->sae->tmp && sta->sae->tmp->pw_id &&
|
||||
resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER &&
|
||||
auth_transaction == 1) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"SAE: Clear stored password identifier since this SAE commit was not accepted");
|
||||
os_free(sta->sae->tmp->pw_id);
|
||||
sta->sae->tmp->pw_id = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
remove_sta:
|
||||
|
|
Loading…
Reference in a new issue