aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-03-05 21:43:25 (GMT)
committerJouni Malinen <j@w1.fi>2019-04-09 14:11:15 (GMT)
commitac8fa9ef198640086cf2ce7c94673be2b6a018a0 (patch)
tree1ced4d96690d642ac1a6758ca45cc7496a69e71e
parentcff138b0747fa39765cbc641b66cfa5d7f1735d1 (diff)
downloadhostap-ac8fa9ef198640086cf2ce7c94673be2b6a018a0.zip
hostap-ac8fa9ef198640086cf2ce7c94673be2b6a018a0.tar.gz
hostap-ac8fa9ef198640086cf2ce7c94673be2b6a018a0.tar.bz2
SAE: Fix confirm message validation in error cases
Explicitly verify that own and peer commit scalar/element are available when trying to check SAE confirm message. It could have been possible to hit a NULL pointer dereference if the peer element could not have been parsed. (CVE-2019-9496) Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/common/sae.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/src/common/sae.c b/src/common/sae.c
index eaf825d..5a50294 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
- if (sae->tmp == NULL) {
+ if (!sae->tmp || !sae->peer_commit_scalar ||
+ !sae->tmp->own_commit_scalar) {
wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
return -1;
}
- if (sae->tmp->ec)
+ if (sae->tmp->ec) {
+ if (!sae->tmp->peer_commit_element_ecc ||
+ !sae->tmp->own_commit_element_ecc)
+ return -1;
sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ecc,
sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ecc,
verifier);
- else
+ } else {
+ if (!sae->tmp->peer_commit_element_ffc ||
+ !sae->tmp->own_commit_element_ffc)
+ return -1;
sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ffc,
sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ffc,
verifier);
+ }
if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");