OWE: Fix error case handling with drivers that implement AP SME

owe_auth_req_process() can return NULL in error cases, but the caller
was not prepared for this. The p pointer cannot be overridden in such
cases since that would result in buffer length (p - buf) overflows. Fix
this by using a temporary variable to check the return value before
overriding p so that the hostapd_sta_assoc() ends up using correct
length for the IE buffer.

Fixes: 33c8bbd8ca7a ("OWE: Add AP mode handling of OWE with drivers that implement SME")
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 33f11aeda455d20a99c55238def938babd98636a..c4553600233529c637898b43e99de33f5444a90b 100644 (file)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -526,10 +526,15 @@ skip_wpa_check:
        if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
            wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
            elems.owe_dh) {
-               p = owe_auth_req_process(hapd, sta,
-                                        elems.owe_dh, elems.owe_dh_len,
-                                        p, &reason);
-               if (!p || reason != WLAN_STATUS_SUCCESS)
+               u8 *npos;
+
+               npos = owe_auth_req_process(hapd, sta,
+                                           elems.owe_dh, elems.owe_dh_len,
+                                           p, &reason);
+               if (!npos)
+                       goto fail;
+               p = npos;
+               if (reason != WLAN_STATUS_SUCCESS)
                        goto fail;
        }
 #endif /* CONFIG_OWE */