Undefined behavior in wpa3_process_rx_commit function (IDFGH-14308)

[safocl]

Answers checklist.

• I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

esp-idf/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c

Line 479 in b5ac4fb

if (esp_send_sae_auth_reply(hapd, frm->bssid, frm->bssid, WLAN_AUTH_SAE,

produce undefined behavior:
esp_send_sae_auth_reply(hapd, frm->bssid, frm->bssid, WLAN_AUTH_SAE, frm->auth_transaction, ret, NULL, 0);
NULL passed to ies argument of esp_send_sae_auth_reply function:

int esp_send_sae_auth_reply(struct hostapd_data *hapd,
                            const u8 *dst, const u8 *bssid,
                            u16 auth_alg, u16 auth_transaction, u16 resp,
                            const u8 *ies, size_t ies_len)

esp-idf/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c

Line 682 in b5ac4fb

int esp_send_sae_auth_reply(struct hostapd_data *hapd,

->
it passed to second argument of memcpy
os_memcpy(&((uint16_t *)req->data)[3], ies, ies_len - 3 * sizeof(uint16_t));
and The behavior is undefined if either dest or src is an invalid or null pointer. for this function (https://en.cppreference.com/w/c/string/byte/memcpy).

[safocl]

maybe need replace NULL to (u8 *) "" ?
how it's done in

esp-idf/components/wpa_supplicant/src/ap/ieee802_11.c

Line 656 in b5ac4fb

data ? wpabuf_head(data) : (u8 *) "",