aboutsummaryrefslogtreecommitdiffstats
path: root/src/fst
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-07-26 07:54:58 (GMT)
committerJouni Malinen <j@w1.fi>2015-07-26 08:22:21 (GMT)
commitb0199552973eb349dbf9cad165484070a3b2434b (patch)
tree13c13b7f24c5bd68795e71d242f7869a5dee9bcc /src/fst
parente49f535dc518f7609fbbe5ecff9966ad271cf3f2 (diff)
downloadhostap-b0199552973eb349dbf9cad165484070a3b2434b.zip
hostap-b0199552973eb349dbf9cad165484070a3b2434b.tar.gz
hostap-b0199552973eb349dbf9cad165484070a3b2434b.tar.bz2
FST: Validate STIE header in FST Setup Request/Response
While this is always supposed to be the first element, check that this is indeed the case instead of blindly using values from within the element. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/fst')
-rw-r--r--src/fst/fst_session.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/fst/fst_session.c b/src/fst/fst_session.c
index ac49fcf..7a4d6db 100644
--- a/src/fst/fst_session.c
+++ b/src/fst/fst_session.c
@@ -376,6 +376,12 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
plen = frame_len - IEEE80211_HDRLEN - 1;
req = (const struct fst_setup_req *)
(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+ if (req->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+ req->stie.length < 11) {
+ fst_printf_iface(iface, MSG_WARNING,
+ "FST Request dropped: invalid STIE");
+ return;
+ }
if (req->stie.new_band_id == req->stie.old_band_id) {
fst_printf_iface(iface, MSG_WARNING,
@@ -539,6 +545,12 @@ static void fst_session_handle_setup_response(struct fst_session *s,
}
res = (const struct fst_setup_res *)
(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+ if (res->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+ res->stie.length < 11) {
+ fst_printf_iface(iface, MSG_WARNING,
+ "FST Response dropped: invalid STIE");
+ return;
+ }
if (res->dialog_token != s->data.pending_setup_req_dlgt) {
fst_printf_session(s, MSG_WARNING,