SAE: Reject invalid Rejected Groups element in the parser

There is no need to depend on all uses (i.e., both hostapd and
wpa_supplicant) to verify that the length of the Rejected Groups field
in the Rejected Groups element is valid (i.e., a multiple of two octets)
since the common parser can reject the message when detecting this.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/sae.c b/src/common/sae.c
index a8fceb284c01676e9a429158fa37b38fa8d280dc..a65da613404ad310c73b585b184968c93cd88122 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -2116,6 +2116,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
                return WLAN_STATUS_UNSPECIFIED_FAILURE;
        epos++; /* skip ext ID */
        len--;
+       if (len & 1) {
+               wpa_printf(MSG_DEBUG,
+                          "SAE: Invalid length of the Rejected Groups element payload: %u",
+                          len);
+               return WLAN_STATUS_UNSPECIFIED_FAILURE;
+       }
 
        wpabuf_free(sae->tmp->peer_rejected_groups);
        sae->tmp->peer_rejected_groups = wpabuf_alloc(len);