From: Jouni Malinen <j@w1.fi>
Date: Sun, 6 Nov 2022 11:29:34 +0000 (+0200)
Subject: PASN: Verify explicitly that elements are present before parsing
X-Git-Tag: hostap_2_11~1566
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a43536a72bd4a315517cebef6fde4bb90abf6899;p=thirdparty%2Fhostap.git

PASN: Verify explicitly that elements are present before parsing

Make sure the elements were present before trying to parse them. This
was already done for most cases, but be consistent and check each item
explicitly before use.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index da320bb78..cadefa865 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2414,7 +2414,7 @@ static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
 	}
 
 	if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
-	    !elems.wrapped_data) {
+	    !elems.wrapped_data || !elems.fils_session) {
 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
 		return -1;
 	}
@@ -2575,7 +2575,8 @@ static void hapd_pasn_update_params(struct hostapd_data *hapd,
 		return;
 	}
 
-	if (wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
+	if (!elems.rsn_ie ||
+	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 				 &rsn_data)) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
 		return;
@@ -2604,7 +2605,8 @@ static void hapd_pasn_update_params(struct hostapd_data *hapd,
 	if (pasn->akmp != WPA_KEY_MGMT_FILS_SHA256 &&
 	    pasn->akmp != WPA_KEY_MGMT_FILS_SHA384)
 		return;
-	if (wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
+	if (!elems.pasn_params ||
+	    wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
 					elems.pasn_params_len + 3,
 					false, &pasn_params)) {
 		wpa_printf(MSG_DEBUG,
diff --git a/src/pasn/pasn_initiator.c b/src/pasn/pasn_initiator.c
index 327516355..90733c8cf 100644
--- a/src/pasn/pasn_initiator.c
+++ b/src/pasn/pasn_initiator.c
@@ -1132,6 +1132,11 @@ int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
 		goto fail;
 	}
 
+	if (!elems.rsn_ie) {
+		wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
+		goto fail;
+	}
+
 	ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 			       &rsn_data);
 	if (ret) {
diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c
index cbc9be852..bffff51d9 100644
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@@ -615,6 +615,12 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
 		goto send_resp;
 	}
 
+	if (!elems.rsn_ie) {
+		wpa_printf(MSG_DEBUG, "PASN: No RSNE");
+		status = WLAN_STATUS_INVALID_RSNIE;
+		goto send_resp;
+	}
+
 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 				   &rsn_data);
 	if (ret) {