SAE: Check for invalid Rejected Groups element length explicitly on STA

Instead of practically ignoring an odd octet at the end of the element, check for such invalid case explicitly. This is needed to avoid a potential group downgrade attack. Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled") Signed-off-by: Jouni Malinen <[email protected]>
espressif · Nov 18, 2024 · ce2e545 · ce2e545
1 parent 9a63899
commit ce2e545
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c
@@ -263,15 +263,22 @@ static int wpa3_sae_is_group_enabled(int group)
 
 static int wpa3_check_sae_rejected_groups(const struct wpabuf *groups)
 {
-    size_t i, count;
+    size_t i, count, len;
     const u8 *pos;
 
     if (!groups) {
         return 0;
     }
 
     pos = wpabuf_head(groups);
-    count = wpabuf_len(groups) / 2;
+    len = wpabuf_len(groups);
+    if (len & 1) {
+        wpa_printf(MSG_DEBUG,
+                   "SAE: Invalid length of the Rejected Groups element payload: %zu",
+                   len);
+        return 1;
+    }
+    count = len / 2;
     for (i = 0; i < count; i++) {
         int enabled;
         u16 group;