wpa_supplicant:Fix potential null pointer dereference

This commit is contained in:
gauri patankar 2022-12-16 18:38:03 +05:30
parent c41bb46d92
commit 5213664cea

View File

@ -52,6 +52,7 @@
struct wpa_sm gWpaSm; struct wpa_sm gWpaSm;
/* fix buf for tx for now */ /* fix buf for tx for now */
#define WPA_TX_MSG_BUFF_MAXLEN 200 #define WPA_TX_MSG_BUFF_MAXLEN 200
#define MIN_DH_LEN 4
#define ASSOC_IE_LEN 24 + 2 + PMKID_LEN + RSN_SELECTOR_LEN #define ASSOC_IE_LEN 24 + 2 + PMKID_LEN + RSN_SELECTOR_LEN
#define MAX_EAPOL_RETRIES 3 #define MAX_EAPOL_RETRIES 3
@ -2914,7 +2915,6 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
{ {
size_t prime_len=0,hash_len=0; size_t prime_len=0,hash_len=0;
struct wpabuf * sh_secret = NULL, *pub = NULL, *hkey = NULL; struct wpabuf * sh_secret = NULL, *pub = NULL, *hkey = NULL;
int res;
const char *info = "OWE Key Generation"; const char *info = "OWE Key Generation";
u8 pmkid[SHA256_MAC_LEN], prk[SHA256_MAC_LEN], pmk[SHA256_MAC_LEN]; u8 pmkid[SHA256_MAC_LEN], prk[SHA256_MAC_LEN], pmk[SHA256_MAC_LEN];
const u8 *addr[2]; const u8 *addr[2];
@ -2924,8 +2924,6 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
struct wpa_sm *sm; struct wpa_sm *sm;
sm = get_wpa_sm(); sm = get_wpa_sm();
(void)res;
wpabuf_free(sm->owe_ie); //free the dh ie constructed in owe_build_assoc_req wpabuf_free(sm->owe_ie); //free the dh ie constructed in owe_build_assoc_req
sm->owe_ie = NULL; sm->owe_ie = NULL;
@ -2933,14 +2931,14 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
parsed_rsn_data = os_zalloc(sizeof(struct wpa_ie_data)); parsed_rsn_data = os_zalloc(sizeof(struct wpa_ie_data));
if (!parsed_rsn_data) { if (!parsed_rsn_data) {
wpa_printf(MSG_ERROR, "Memory allocation failed"); wpa_printf(MSG_ERROR, "Memory allocation failed");
goto fail; return -1;
} }
if (rsn_ie && rsn_len && wpa_parse_wpa_ie_rsn(rsn_ie, rsn_len + 2, parsed_rsn_data) != 0) { if (rsn_ie && rsn_len && wpa_parse_wpa_ie_rsn(rsn_ie, rsn_len + 2, parsed_rsn_data) != 0) {
goto fail; goto fail;
} }
if (!dh_ie && !dh_len && parsed_rsn_data->num_pmkid == 0) { if (!dh_ie || dh_len < MIN_DH_LEN || parsed_rsn_data->num_pmkid == 0) {
wpa_printf(MSG_ERROR, "OWE: No diffie hellman parameter in response"); wpa_printf(MSG_ERROR, "OWE: Invalid parameter");
goto fail; goto fail;
} }
@ -2981,7 +2979,11 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
addr[1] = dh_ie + 2; addr[1] = dh_ie + 2;
len[1] = dh_len - 2; len[1] = dh_len - 2;
res = sha256_vector(2, addr, len, pmkid); int res = sha256_vector(2, addr, len, pmkid);
if (res < 0 ) {
goto fail;
}
hash_len = SHA256_MAC_LEN; hash_len = SHA256_MAC_LEN;
pub = wpabuf_zeropad(pub, prime_len); pub = wpabuf_zeropad(pub, prime_len);
@ -2996,6 +2998,10 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
wpabuf_put_le16(hkey, sm->owe_group); /* group */ wpabuf_put_le16(hkey, sm->owe_group); /* group */
res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), wpabuf_head(sh_secret), wpabuf_len(sh_secret), prk); res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), wpabuf_head(sh_secret), wpabuf_len(sh_secret), prk);
if (res < 0 ) {
goto fail;
}
hash_len = SHA256_MAC_LEN; hash_len = SHA256_MAC_LEN;
wpabuf_free(hkey); wpabuf_free(hkey);
@ -3006,6 +3012,9 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
/* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *)info, res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *)info,
os_strlen(info), pmk, hash_len); os_strlen(info), pmk, hash_len);
if (res < 0 ) {
goto fail;
}
forced_memzero(prk, SHA256_MAC_LEN); forced_memzero(prk, SHA256_MAC_LEN);
wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, OWE_PMKID_LEN); wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, OWE_PMKID_LEN);