aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wnm_sta.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-10-25 12:45:09 (GMT)
committerJouni Malinen <j@w1.fi>2015-10-25 17:37:17 (GMT)
commit8acbe7f2a46cb2fb8cadd89c76fa98b037306342 (patch)
tree554213720195e2271cd0ee50b1d14e5730f9416f /wpa_supplicant/wnm_sta.c
parentdacd789f6da15456d746db2e0846f69f571040b8 (diff)
downloadhostap-8acbe7f2a46cb2fb8cadd89c76fa98b037306342.zip
hostap-8acbe7f2a46cb2fb8cadd89c76fa98b037306342.tar.gz
hostap-8acbe7f2a46cb2fb8cadd89c76fa98b037306342.tar.bz2
WNM: Verify WNM Sleep Mode element length
This element is required to have at least four octets of actual payload. This was not previously verified before use and the extra buffer data after the IE might have been used instead if a received WNM-Sleep Mode Response frame was invalid. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wnm_sta.c')
-rw-r--r--wpa_supplicant/wnm_sta.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 6e3dd5c..1f627ba 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -268,7 +268,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
break;
}
wpa_hexdump(MSG_DEBUG, "WNM: Element", pos, 2 + ie_len);
- if (*pos == WLAN_EID_WNMSLEEP)
+ if (*pos == WLAN_EID_WNMSLEEP && ie_len >= 4)
wnmsleep_ie = (struct wnm_sleep_element *) pos;
else if (*pos == WLAN_EID_TFS_RESP) {
if (!tfsresp_ie_start)