OWE: Fix error case handling with drivers that implement AP SME

owe_auth_req_process() can return NULL in error cases, but the caller
was not prepared for this. The p pointer cannot be overridden in such
cases since that would result in buffer length (p - buf) overflows. Fix
this by using a temporary variable to check the return value before
overriding p so that the hostapd_sta_assoc() ends up using correct
length for the IE buffer.

Fixes: 33c8bbd8ca7a ("OWE: Add AP mode handling of OWE with drivers that implement SME")
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

src/ap/drv_callbacks.c

@@ -526,10 +526,15 @@ skip_wpa_check:
 	if ((hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) &&
 	    wpa_auth_sta_key_mgmt(sta->wpa_sm) == WPA_KEY_MGMT_OWE &&
 	    elems.owe_dh) {
-		p = owe_auth_req_process(hapd, sta,
-					 elems.owe_dh, elems.owe_dh_len,
-					 p, &reason);
-		if (!p || reason != WLAN_STATUS_SUCCESS)
+		u8 *npos;
+
+		npos = owe_auth_req_process(hapd, sta,
+					    elems.owe_dh, elems.owe_dh_len,
+					    p, &reason);
+		if (!npos)
+			goto fail;
+		p = npos;
+		if (reason != WLAN_STATUS_SUCCESS)
 			goto fail;
 	}
 #endif /* CONFIG_OWE */