From: Jouni Malinen <j@w1.fi>
Date: Tue, 9 Jul 2024 20:34:34 +0000 (+0300)
Subject: SAE: Reject invalid Rejected Groups element in the parser
X-Git-Tag: hostap_2_11~62
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9716bf1160beb677e965d9e6475d6c9e162e8374;p=thirdparty%2Fhostap.git

SAE: Reject invalid Rejected Groups element in the parser

There is no need to depend on all uses (i.e., both hostapd and
wpa_supplicant) to verify that the length of the Rejected Groups field
in the Rejected Groups element is valid (i.e., a multiple of two octets)
since the common parser can reject the message when detecting this.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/common/sae.c b/src/common/sae.c
index a8fceb284..a65da6134 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -2116,6 +2116,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 	epos++; /* skip ext ID */
 	len--;
+	if (len & 1) {
+		wpa_printf(MSG_DEBUG,
+			   "SAE: Invalid length of the Rejected Groups element payload: %u",
+			   len);
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+	}
 
 	wpabuf_free(sae->tmp->peer_rejected_groups);
 	sae->tmp->peer_rejected_groups = wpabuf_alloc(len);