From 04ded82efad6cee855720e49c14c57a82a309b68 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 11 Dec 2017 13:36:48 +0200
Subject: [PATCH] OWE: Fix error case handling with drivers that implement AP
 SME

owe_auth_req_process() can return NULL in error cases, but the caller
was not prepared for this. The p pointer cannot be overridden in such
cases since that would result in buffer length (p - buf) overflows. Fix
this by using a temporary variable to check the return value before
overriding p so that the hostapd_sta_assoc() ends up using correct
length for the IE buffer.

Fixes: 33c8bbd8ca7a ("OWE: Add AP mode handling of OWE with drivers that implement SME")
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/ap/drv_callbacks.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index 33f11aeda..c45536002 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -526,10 +526,15 @@ skip_wpa_check:
 	if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
 	    elems.owe_dh) {
-		p = owe_auth_req_process(hapd, sta,
-					 elems.owe_dh, elems.owe_dh_len,
-					 p, &reason);
-		if (!p || reason != WLAN_STATUS_SUCCESS)
+		u8 *npos;
+
+		npos = owe_auth_req_process(hapd, sta,
+					    elems.owe_dh, elems.owe_dh_len,
+					    p, &reason);
+		if (!npos)
+			goto fail;
+		p = npos;
+		if (reason != WLAN_STATUS_SUCCESS)
 			goto fail;
 	}
 #endif /* CONFIG_OWE */