PASN: Verify explicitly that elements are present before parsing

Make sure the elements were present before trying to parse them. This was already done for most cases, but be consistent and check each item explicitly before use. Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 13:29:34 +02:00 · 2022-11-06 13:29:34 +02:00 · a43536a72b
commit a43536a72b
parent 7e38524076
3 changed files with 16 additions and 3 deletions
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@ -2414,7 +2414,7 @@ static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
 	}

 	if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
-	    !elems.wrapped_data) {
+	    !elems.wrapped_data || !elems.fils_session) {
 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
 		return -1;
 	}
@ -2575,7 +2575,8 @@ static void hapd_pasn_update_params(struct hostapd_data *hapd,
 		return;
 	}

-	if (wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
+	if (!elems.rsn_ie ||
+	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 				 &rsn_data)) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
 		return;
@ -2604,7 +2605,8 @@ static void hapd_pasn_update_params(struct hostapd_data *hapd,
 	if (pasn->akmp != WPA_KEY_MGMT_FILS_SHA256 &&
 	    pasn->akmp != WPA_KEY_MGMT_FILS_SHA384)
 		return;
-	if (wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
+	if (!elems.pasn_params ||
+	    wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
 					elems.pasn_params_len + 3,
 					false, &pasn_params)) {
 		wpa_printf(MSG_DEBUG,
--- a/src/pasn/pasn_initiator.c
+++ b/src/pasn/pasn_initiator.c
@ -1132,6 +1132,11 @@ int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
 		goto fail;
 	}

+	if (!elems.rsn_ie) {
+		wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
+		goto fail;
+	}
+
 	ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 			       &rsn_data);
 	if (ret) {
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@ -615,6 +615,12 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
 		goto send_resp;
 	}

+	if (!elems.rsn_ie) {
+		wpa_printf(MSG_DEBUG, "PASN: No RSNE");
+		status = WLAN_STATUS_INVALID_RSNIE;
+		goto send_resp;
+	}
+
 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 				   &rsn_data);
 	if (ret) {