From 8acbe7f2a46cb2fb8cadd89c76fa98b037306342 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 25 Oct 2015 14:45:09 +0200 Subject: [PATCH] WNM: Verify WNM Sleep Mode element length This element is required to have at least four octets of actual payload. This was not previously verified before use and the extra buffer data after the IE might have been used instead if a received WNM-Sleep Mode Response frame was invalid. Signed-off-by: Jouni Malinen --- wpa_supplicant/wnm_sta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 6e3dd5c3e..1f627ba37 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -268,7 +268,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s, break; } wpa_hexdump(MSG_DEBUG, "WNM: Element", pos, 2 + ie_len); - if (*pos == WLAN_EID_WNMSLEEP) + if (*pos == WLAN_EID_WNMSLEEP && ie_len >= 4) wnmsleep_ie = (struct wnm_sleep_element *) pos; else if (*pos == WLAN_EID_TFS_RESP) { if (!tfsresp_ie_start)