From: Jouni Malinen <j@w1.fi>
Date: Sun, 7 Jul 2024 08:46:49 +0000 (+0300)
Subject: SAE: Check for invalid Rejected Groups element length explicitly
X-Git-Tag: hostap_2_11~79
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=364c2da8741f0979dae497551e70b94c0e6c8636;p=thirdparty%2Fhostap.git

SAE: Check for invalid Rejected Groups element length explicitly

Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 2a771f708..9af586a7b 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1231,7 +1231,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
 				     struct sae_data *sae)
 {
 	const struct wpabuf *groups;
-	size_t i, count;
+	size_t i, count, len;
 	const u8 *pos;
 
 	if (!sae->tmp)
@@ -1241,7 +1241,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
 		return 0;
 
 	pos = wpabuf_head(groups);
-	count = wpabuf_len(groups) / 2;
+	len = wpabuf_len(groups);
+	if (len & 1) {
+		wpa_printf(MSG_DEBUG,
+			   "SAE: Invalid length of the Rejected Groups element payload: %zu",
+			   len);
+		return 1;
+	}
+
+	count = len / 2;
 	for (i = 0; i < count; i++) {
 		int enabled;
 		u16 group;