SAE: Check for invalid Rejected Groups element length explicitly

Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 2a771f708ccd339b7a5dd4af190df2bb52aa95e3..9af586a7b00af0602c762cf9e52b7ebe4f19a713 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1231,7 +1231,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
                                     struct sae_data *sae)
 {
        const struct wpabuf *groups;
-       size_t i, count;
+       size_t i, count, len;
        const u8 *pos;
 
        if (!sae->tmp)
@@ -1241,7 +1241,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
                return 0;
 
        pos = wpabuf_head(groups);
-       count = wpabuf_len(groups) / 2;
+       len = wpabuf_len(groups);
+       if (len & 1) {
+               wpa_printf(MSG_DEBUG,
+                          "SAE: Invalid length of the Rejected Groups element payload: %zu",
+                          len);
+               return 1;
+       }
+
+       count = len / 2;
        for (i = 0; i < count; i++) {
                int enabled;
                u16 group;