git.ipfire.org Git - thirdparty/hostap.git/commit

author	Chenming Huang <quic_chenhuan@quicinc.com>
	Fri, 31 May 2024 02:28:36 +0000 (07:58 +0530)
committer	Jouni Malinen <j@w1.fi>
	Thu, 20 Jun 2024 15:19:26 +0000 (18:19 +0300)
commit	761041b18ab243c28467475145f316e10bd649cf
tree	9be1137eee59324789edfd7b72b723be6c642424	tree
parent	d97b5c6492795017819628f2a68038674e9066a7	commit \| diff

SAE: Free password identifier if SAE commit is rejected due to it

Authentication rejection was found when doing fuzz testing even with a
valid SAE commit message when it was sent after a SAE commit message
that included an incorrect password identifier. The test steps for this
are as below:

1. Peer sends an abnormal commit message with incorrect password
identifier
2. APUT rejects as expected
3. Peer sends a valid commit message
4. APUT rejects again, which is not expected

In step 2, as the abnormal data fakes an empty password identifier
element, it passes sae_is_password_id_elem() checking. Memory is then
allocated for sae->tmp->pw_id. The authentication process then fails
due to no available password with this invalid password identifier.

In step 4, though the peer sends a valid commit message, APUT rejects
this SAE commit again due to no password identifier element (due to that
sae->tmp->pw_id being set), which is not expected.

Free the sae->tmp->pw_id field and set it to NULL when SAE commit
message processing fails due to an unknown password identifier so that
the bogus value is not used as a requirement for any consecutive SAE
commit from the same STA before the STA entry gets cleared.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>