OWE: Fix association rejection behavior

If association failed for any non-OWE specific reason, the previous
implementation tried to add the OWE related IEs into the (Re)Association
Response frame. This is not needed and could actually result in
dereferencing a NULL pointer. Fix this by adding those OWE related IEs
only for successful association and only if the RSN state machine has
been initialized.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/ap/ieee802_11.c

@@ -2922,7 +2922,8 @@ static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
 #endif /* CONFIG_IEEE80211R_AP */
 
 #ifdef CONFIG_OWE
-	if (sta && (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
+	if (sta && status_code == WLAN_STATUS_SUCCESS &&
+	    (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE))
 		p = wpa_auth_write_assoc_resp_owe(sta->wpa_sm, p,
 						  buf + buflen - p,
 						  ies, ies_len);
@@ -3069,7 +3070,7 @@ static u16 send_assoc_resp(struct hostapd_data *hapd, struct sta_info *sta,
 
 #ifdef CONFIG_OWE
 	if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
-	    sta && sta->owe_ecdh &&
+	    sta && sta->owe_ecdh && status_code == WLAN_STATUS_SUCCESS &&
 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE) {
 		struct wpabuf *pub;
 

src/ap/wpa_auth_ie.c

@@ -1068,7 +1068,11 @@ u8 * wpa_auth_write_assoc_resp_owe(struct wpa_state_machine *sm,
 				   const u8 *req_ies, size_t req_ies_len)
 {
 	int res;
-	struct wpa_auth_config *conf = &sm->wpa_auth->conf;
+	struct wpa_auth_config *conf;
+
+	if (!sm)
+		return pos;
+	conf = &sm->wpa_auth->conf;
 
 #ifdef CONFIG_TESTING_OPTIONS
 	if (conf->own_ie_override_len) {