SAE: Reject invalid Rejected Groups element in the parser
There is no need to depend on all uses (i.e., both hostapd and wpa_supplicant) to verify that the length of the Rejected Groups field in the Rejected Groups element is valid (i.e., a multiple of two octets) since the common parser can reject the message when detecting this. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
593a7c2f8c
commit
9716bf1160
1 changed files with 6 additions and 0 deletions
|
|
@ -2116,6 +2116,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
|
|||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
epos++; /* skip ext ID */
|
||||
len--;
|
||||
if (len & 1) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"SAE: Invalid length of the Rejected Groups element payload: %u",
|
||||
len);
|
||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
|
||||
wpabuf_free(sae->tmp->peer_rejected_groups);
|
||||
sae->tmp->peer_rejected_groups = wpabuf_alloc(len);
|
||||
|
|
|
|||
Loading…
Reference in a new issue