WPA: Discard EAPOL-Key msg 1/4 with corrupted information elements

Currently a corrupted handshake message 1/4 causes the client to
disconnect from the network. This can lead to a denial-of-service
vulnerability allowing an adversary to forcibly disconnect a client from
protected networks even when Wi-Fi Management Frame Protection (MFP) is
enforced if the driver allows unencrypted EAPOL-Key frames to be
received after key configuration..

Fix this by discarding the corrupted handshake message 1/4.

This issue was discovered by Domien Schepers (Northeastern University)
and Mathy Vanhoef (imec-DistriNet, KU Leuven).

Signed-off-by: Domien Schepers <schepers.d@northeastern.edu>

src/rsn_supp/wpa.c

@@ -694,7 +694,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
 		return;
 	}
 
-	wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
 		"Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
 
@@ -704,8 +703,11 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
 		/* RSN: msg 1/4 should contain PMKID for the selected PMK */
 		wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
 			    key_data, key_data_len);
-		if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
-			goto failed;
+		if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
+			wpa_printf(MSG_DEBUG,
+				   "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
+			return;
+		}
 		if (ie.pmkid) {
 			wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
 				    "Authenticator", ie.pmkid, PMKID_LEN);
@@ -721,6 +723,8 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
 	if (res)
 		goto failed;
 
+	wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
+
 	if (sm->renew_snonce) {
 		if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,