3a3658e6408e972dbab1f67d367773ee4f68705a
[librecmc/librecmc.git] /
1 From ac8fa9ef198640086cf2ce7c94673be2b6a018a0 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Tue, 5 Mar 2019 23:43:25 +0200
4 Subject: [PATCH 10/14] SAE: Fix confirm message validation in error cases
5
6 Explicitly verify that own and peer commit scalar/element are available
7 when trying to check SAE confirm message. It could have been possible to
8 hit a NULL pointer dereference if the peer element could not have been
9 parsed. (CVE-2019-9496)
10
11 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
12 ---
13  src/common/sae.c | 14 +++++++++++---
14  1 file changed, 11 insertions(+), 3 deletions(-)
15
16 --- a/src/common/sae.c
17 +++ b/src/common/sae.c
18 @@ -1464,23 +1464,31 @@ int sae_check_confirm(struct sae_data *s
19  
20         wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
21  
22 -       if (sae->tmp == NULL) {
23 +       if (!sae->tmp || !sae->peer_commit_scalar ||
24 +           !sae->tmp->own_commit_scalar) {
25                 wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
26                 return -1;
27         }
28  
29 -       if (sae->tmp->ec)
30 +       if (sae->tmp->ec) {
31 +               if (!sae->tmp->peer_commit_element_ecc ||
32 +                   !sae->tmp->own_commit_element_ecc)
33 +                       return -1;
34                 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
35                                    sae->tmp->peer_commit_element_ecc,
36                                    sae->tmp->own_commit_scalar,
37                                    sae->tmp->own_commit_element_ecc,
38                                    verifier);
39 -       else
40 +       } else {
41 +               if (!sae->tmp->peer_commit_element_ffc ||
42 +                   !sae->tmp->own_commit_element_ffc)
43 +                       return -1;
44                 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
45                                    sae->tmp->peer_commit_element_ffc,
46                                    sae->tmp->own_commit_scalar,
47                                    sae->tmp->own_commit_element_ffc,
48                                    verifier);
49 +       }
50  
51         if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
52                 wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");