SAE: Fix confirm message validation in error cases

Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-03-05 23:43:25 +02:00 committed by Jouni Malinen
parent cff138b074
commit ac8fa9ef19

View File

@ -1487,23 +1487,31 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
if (sae->tmp == NULL) { if (!sae->tmp || !sae->peer_commit_scalar ||
!sae->tmp->own_commit_scalar) {
wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available"); wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
return -1; return -1;
} }
if (sae->tmp->ec) if (sae->tmp->ec) {
if (!sae->tmp->peer_commit_element_ecc ||
!sae->tmp->own_commit_element_ecc)
return -1;
sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ecc, sae->tmp->peer_commit_element_ecc,
sae->tmp->own_commit_scalar, sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ecc, sae->tmp->own_commit_element_ecc,
verifier); verifier);
else } else {
if (!sae->tmp->peer_commit_element_ffc ||
!sae->tmp->own_commit_element_ffc)
return -1;
sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
sae->tmp->peer_commit_element_ffc, sae->tmp->peer_commit_element_ffc,
sae->tmp->own_commit_scalar, sae->tmp->own_commit_scalar,
sae->tmp->own_commit_element_ffc, sae->tmp->own_commit_element_ffc,
verifier); verifier);
}
if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) { if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");