SAE: Check for invalid Rejected Groups element length explicitly on STA

Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 013c2453b445e7ce29df9a1babd95ae4cc91c653..2abc3eab86c194a4bb065309753a195da0f779d3 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1570,14 +1570,21 @@ static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group)
 static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s,
                                         const struct wpabuf *groups)
 {
-       size_t i, count;
+       size_t i, count, len;
        const u8 *pos;
 
        if (!groups)
                return 0;
 
        pos = wpabuf_head(groups);
-       count = wpabuf_len(groups) / 2;
+       len = wpabuf_len(groups);
+       if (len & 1) {
+               wpa_printf(MSG_DEBUG,
+                          "SAE: Invalid length of the Rejected Groups element payload: %zu",
+                          len);
+               return 1;
+       }
+       count = len / 2;
        for (i = 0; i < count; i++) {
                int enabled;
                u16 group;