DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

SAE: Reject invalid Rejected Groups element in the parser

Browse source 
There is no need to depend on all uses (i.e., both hostapd and
wpa_supplicant) to verify that the length of the Rejected Groups field
in the Rejected Groups element is valid (i.e., a multiple of two octets)
since the common parser can reject the message when detecting this.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2024-07-09 23:34:34 +03:00
parent 593a7c2f8c
commit 9716bf1160
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/common/sae.c
View file

@ -2116,6 +2116,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
return WLAN_STATUS_UNSPECIFIED_FAILURE; return WLAN_STATUS_UNSPECIFIED_FAILURE;
epos++; /* skip ext ID */ epos++; /* skip ext ID */
len--; len--;
if (len & 1) {
wpa_printf(MSG_DEBUG,
"SAE: Invalid length of the Rejected Groups element payload: %u",
len);
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
wpabuf_free(sae->tmp->peer_rejected_groups); wpabuf_free(sae->tmp->peer_rejected_groups);
sae->tmp->peer_rejected_groups = wpabuf_alloc(len); sae->tmp->peer_rejected_groups = wpabuf_alloc(len);