OWE: Fix error case handling with drivers that implement AP SME

owe_auth_req_process() can return NULL in error cases, but the caller
was not prepared for this. The p pointer cannot be overridden in such
cases since that would result in buffer length (p - buf) overflows. Fix
this by using a temporary variable to check the return value before
overriding p so that the hostapd_sta_assoc() ends up using correct
length for the IE buffer.

Fixes: 33c8bbd8ca ("OWE: Add AP mode handling of OWE with drivers that implement SME")
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-12-11 13:36:48 +02:00 committed by Jouni Malinen
parent c23e87d0d1
commit 04ded82efa

View file

@ -526,10 +526,15 @@ skip_wpa_check:
if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
elems.owe_dh) {
p = owe_auth_req_process(hapd, sta,
u8 *npos;
npos = owe_auth_req_process(hapd, sta,
elems.owe_dh, elems.owe_dh_len,
p, &reason);
if (!p || reason != WLAN_STATUS_SUCCESS)
if (!npos)
goto fail;
p = npos;
if (reason != WLAN_STATUS_SUCCESS)
goto fail;
}
#endif /* CONFIG_OWE */