Authentication rejection was found when doing fuzz testing even with a
valid SAE commit message when it was sent after a SAE commit message
that included an incorrect password identifier. The test steps for this
are as below:
1. Peer sends an abnormal commit message with incorrect password
identifier
2. APUT rejects as expected
3. Peer sends a valid commit message
4. APUT rejects again, which is not expected
In step 2, as the abnormal data fakes an empty password identifier
element, it passes sae_is_password_id_elem() checking. Memory is then
allocated for sae->tmp->pw_id. The authentication process then fails
due to no available password with this invalid password identifier.
In step 4, though the peer sends a valid commit message, APUT rejects
this SAE commit again due to no password identifier element (due to that
sae->tmp->pw_id being set), which is not expected.
Free the sae->tmp->pw_id field and set it to NULL when SAE commit
message processing fails due to an unknown password identifier so that
the bogus value is not used as a requirement for any consecutive SAE
commit from the same STA before the STA entry gets cleared.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
auth_transaction, resp,
data ? wpabuf_head(data) : (u8 *) "",
data ? wpabuf_len(data) : 0, "auth-sae");
+ if (sta->sae && sta->sae->tmp && sta->sae->tmp->pw_id &&
+ resp == WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER &&
+ auth_transaction == 1) {
+ wpa_printf(MSG_DEBUG,
+ "SAE: Clear stored password identifier since this SAE commit was not accepted");
+ os_free(sta->sae->tmp->pw_id);
+ sta->sae->tmp->pw_id = NULL;
+ }
}
remove_sta:
projects / thirdparty / hostap.git / commitdiff
