WPS: Fix Probe Request processing to handle missing attribute

WPS IE parsing for PBC mode did not check whether the UUID-E attribute
was included before dereferencing the pointer. This could result in the
AP crashing when processing and invalid Probe Request frame.

diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index 3f5119022eab8507ab96f77809f03b36694d6547..db20c7da073c2289f19aae18a0e387ea6c3c1022 100644 (file)
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -799,6 +799,11 @@ void wps_registrar_probe_req_rx(struct wps_registrar *reg, const u8 *addr,
 
        wpa_printf(MSG_DEBUG, "WPS: Probe Request for PBC received from "
                   MACSTR, MAC2STR(addr));
+       if (attr.uuid_e == NULL) {
+               wpa_printf(MSG_DEBUG, "WPS: Invalid Probe Request WPS IE: No "
+                          "UUID-E included");
+               return;
+       }
 
        wps_registrar_add_pbc_session(reg, addr, attr.uuid_e);
        if (wps_registrar_pbc_overlap(reg, addr, attr.uuid_e)) {