From 03abb6b5416d472d473c7017802236f8397d0278 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 13 Nov 2017 12:54:20 +0200
Subject: [PATCH] DPP: Reject unexpected Req/Resp message based on Auth/PKEX
 role

This prevents issues where an unexpected message in the DPP
Authentication exchange or PKEX could result in undefined behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/common/dpp.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 5a9021922..e2a6ffd7f 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -3096,6 +3096,11 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
 	u8 r_auth2[DPP_MAX_HASH_LEN];
 	u8 role;
 
+	if (!auth->initiator) {
+		dpp_auth_fail(auth, "Unexpected Authentication Response");
+		return NULL;
+	}
+
 	auth->waiting_auth_resp = 0;
 
 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
@@ -3458,6 +3463,11 @@ int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
 	size_t unwrapped_len = 0;
 	u8 i_auth2[DPP_MAX_HASH_LEN];
 
+	if (auth->initiator) {
+		dpp_auth_fail(auth, "Unexpected Authentication Confirm");
+		return NULL;
+	}
+
 	auth->waiting_auth_conf = 0;
 
 	wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
@@ -6430,7 +6440,7 @@ struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex,
 	u8 u[DPP_MAX_HASH_LEN];
 	int res;
 
-	if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT)
+	if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
 		return NULL;
 
 	attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS,
@@ -6740,7 +6750,7 @@ struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
 	u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN];
 
 	if (!pkex->exchange_done || pkex->failed ||
-	    pkex->t >= PKEX_COUNTER_T_LIMIT)
+	    pkex->t >= PKEX_COUNTER_T_LIMIT || pkex->initiator)
 		goto fail;
 
 	wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
@@ -6917,7 +6927,7 @@ int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
 	struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
 
 	if (!pkex->exchange_done || pkex->failed ||
-	    pkex->t >= PKEX_COUNTER_T_LIMIT)
+	    pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
 		goto fail;
 
 	wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,