package/network/services/hostapd/patches/063-0010-SAE-Fix-confirm-message-validation-in-error-cases.patch

   1 From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
   2 From: Jouni Malinen <jouni@codeaurora.org>
   3 Date: Tue, 5 Mar 2019 23:43:25 +0200
   4 Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases
   5
   6 Explicitly verify that own and peer commit scalar/element are available
   7 when trying to check SAE confirm message. It could have been possible to
   8 hit a NULL pointer dereference if the peer element could not have been
   9 parsed. (CVE-2019-9496)
  10
  11 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
  12 ---
  13  src/common/sae.c | 14 +++++++++++---
  14  1 file changed, 11 insertions(+), 3 deletions(-)
  15
  16 --- a/src/common/sae.c
  17 +++ b/src/common/sae.c
  18 @@ -1464,23 +1464,31 @@ int sae_check_confirm(struct sae_data *s
  19
  20         wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
  21
  22 -       if (sae->tmp == NULL) {
  23 +       if (!sae->tmp || !sae->peer_commit_scalar ||
  24 +           !sae->tmp->own_commit_scalar) {
  25                 wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
  26                 return -1;
  27         }
  28
  29 -       if (sae->tmp->ec)
  30 +       if (sae->tmp->ec) {
  31 +               if (!sae->tmp->peer_commit_element_ecc ||
  32 +                   !sae->tmp->own_commit_element_ecc)
  33 +                       return -1;
  34                 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
  35                                    sae->tmp->peer_commit_element_ecc,
  36                                    sae->tmp->own_commit_scalar,
  37                                    sae->tmp->own_commit_element_ecc,
  38                                    verifier);
  39 -       else
  40 +       } else {
  41 +               if (!sae->tmp->peer_commit_element_ffc ||
  42 +                   !sae->tmp->own_commit_element_ffc)
  43 +                       return -1;
  44                 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
  45                                    sae->tmp->peer_commit_element_ffc,
  46                                    sae->tmp->own_commit_scalar,
  47                                    sae->tmp->own_commit_element_ffc,
  48                                    verifier);
  49 +       }
  50
  51         if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
  52                 wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");