P2P: Fix validation on Invitation Request error path

It was possible for the error path to try to use P2P Group ID attribute
even if one was not included in the message. This could result in
dereferencing a NULL pointer, so re-check the pointer before copying the
data.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/p2p/p2p_invitation.c b/src/p2p/p2p_invitation.c
index 30d218cf9f46443a8ff0484e22be918bd40e8dec..a45fe198d819475d530b996fdbe8ff9c1c3b9353 100644 (file)
--- a/src/p2p/p2p_invitation.c
+++ b/src/p2p/p2p_invitation.c
@@ -359,12 +359,17 @@ fail:
                p2p->inv_group_bssid_ptr = p2p->inv_group_bssid;
        } else
                p2p->inv_group_bssid_ptr = NULL;
-       if (msg.group_id_len - ETH_ALEN <= 32) {
-               os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
-                         msg.group_id_len - ETH_ALEN);
-               p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
+       if (msg.group_id) {
+               if (msg.group_id_len - ETH_ALEN <= 32) {
+                       os_memcpy(p2p->inv_ssid, msg.group_id + ETH_ALEN,
+                                 msg.group_id_len - ETH_ALEN);
+                       p2p->inv_ssid_len = msg.group_id_len - ETH_ALEN;
+               }
+               os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
+       } else {
+               p2p->inv_ssid_len = 0;
+               os_memset(p2p->inv_go_dev_addr, 0, ETH_ALEN);
        }
-       os_memcpy(p2p->inv_go_dev_addr, msg.group_id, ETH_ALEN);
        p2p->inv_status = status;
        p2p->inv_op_freq = op_freq;