feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

SAE: Check for invalid Rejected Groups element length explicitly

Browse Source 
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
2024-09-09 18:49:11 +05:30
committed by Shreyas Sheth
parent 6b3bf4d0e7
commit 5f7a3b6d48
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
components/wpa_supplicant/src/ap/ieee802_11.c
View File

@@ -426,7 +426,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
struct sae_data *sae)
{
const struct wpabuf *groups;
size_t i, count;
size_t i, count, len;
const u8 *pos;
if (!sae->tmp)
@@ -436,7 +436,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
return 0;
pos = wpabuf_head(groups);
count = wpabuf_len(groups);
len = wpabuf_len(groups);
if (len & 1) {
wpa_printf(MSG_DEBUG,
"SAE: Invalid length of the Rejected Groups element payload: %zu",
len);
return 1;
}
count = len / 2;
for (i = 0; i < count; i++) {
int enabled;
u16 group;