From a43536a72bd4a315517cebef6fde4bb90abf6899 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 6 Nov 2022 13:29:34 +0200
Subject: [PATCH] PASN: Verify explicitly that elements are present before
 parsing

Make sure the elements were present before trying to parse them. This
was already done for most cases, but be consistent and check each item
explicitly before use.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/ap/ieee802_11.c       | 8 +++++---
 src/pasn/pasn_initiator.c | 5 +++++
 src/pasn/pasn_responder.c | 6 ++++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index da320bb78..cadefa865 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2414,7 +2414,7 @@ static int pasn_wd_handle_fils(struct hostapd_data *hapd, struct sta_info *sta,
 	}
 
 	if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
-	    !elems.wrapped_data) {
+	    !elems.wrapped_data || !elems.fils_session) {
 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
 		return -1;
 	}
@@ -2575,7 +2575,8 @@ static void hapd_pasn_update_params(struct hostapd_data *hapd,
 		return;
 	}
 
-	if (wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
+	if (!elems.rsn_ie ||
+	    wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 				 &rsn_data)) {
 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
 		return;
@@ -2604,7 +2605,8 @@ static void hapd_pasn_update_params(struct hostapd_data *hapd,
 	if (pasn->akmp != WPA_KEY_MGMT_FILS_SHA256 &&
 	    pasn->akmp != WPA_KEY_MGMT_FILS_SHA384)
 		return;
-	if (wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
+	if (!elems.pasn_params ||
+	    wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
 					elems.pasn_params_len + 3,
 					false, &pasn_params)) {
 		wpa_printf(MSG_DEBUG,
diff --git a/src/pasn/pasn_initiator.c b/src/pasn/pasn_initiator.c
index 327516355..90733c8cf 100644
--- a/src/pasn/pasn_initiator.c
+++ b/src/pasn/pasn_initiator.c
@@ -1132,6 +1132,11 @@ int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
 		goto fail;
 	}
 
+	if (!elems.rsn_ie) {
+		wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
+		goto fail;
+	}
+
 	ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 			       &rsn_data);
 	if (ret) {
diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c
index cbc9be852..bffff51d9 100644
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@@ -615,6 +615,12 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
 		goto send_resp;
 	}
 
+	if (!elems.rsn_ie) {
+		wpa_printf(MSG_DEBUG, "PASN: No RSNE");
+		status = WLAN_STATUS_INVALID_RSNIE;
+		goto send_resp;
+	}
+
 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
 				   &rsn_data);
 	if (ret) {
-- 
2.47.3