feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

SAE: Check for invalid Rejected Groups element length explicitly on STA

Browse Source 
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
2024-09-10 10:25:11 +05:30
committed by BOT
parent 9a6389978c
commit ce2e5455e8
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c
View File

@@ -263,7 +263,7 @@ static int wpa3_sae_is_group_enabled(int group)
static int wpa3_check_sae_rejected_groups(const struct wpabuf *groups)
{
size_t i, count;
size_t i, count, len;
const u8 *pos;
if (!groups) {
@@ -271,7 +271,14 @@ static int wpa3_check_sae_rejected_groups(const struct wpabuf *groups)
}
pos = wpabuf_head(groups);
count = wpabuf_len(groups) / 2;
len = wpabuf_len(groups);
if (len & 1) {
wpa_printf(MSG_DEBUG,
"SAE: Invalid length of the Rejected Groups element payload: %zu",
len);
return 1;
}
count = len / 2;
for (i = 0; i < count; i++) {
int enabled;
u16 group;