From d6d5970e23f15a849ef4779af54b5b5a83f25c6c Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 12 Feb 2017 11:43:54 +0200 Subject: [PATCH] WNM: Fix WNM-Sleep Mode Request parsing for WNM-Sleep element The length of the WNM-Sleep element was not verified before using it. This could result in reading the subfields in this element (total of four octets) beyond the end of the buffer. Fix this by ignoring the element if it is not long enough to contain all the subfields. Signed-off-by: Jouni Malinen --- src/ap/wnm_ap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ap/wnm_ap.c b/src/ap/wnm_ap.c index 41d50cebf..31d6ffcd7 100644 --- a/src/ap/wnm_ap.c +++ b/src/ap/wnm_ap.c @@ -207,7 +207,8 @@ static void ieee802_11_rx_wnmsleep_req(struct hostapd_data *hapd, u8 ie_len = pos[1]; if (pos + 2 + ie_len > frm + len) break; - if (*pos == WLAN_EID_WNMSLEEP) + if (*pos == WLAN_EID_WNMSLEEP && + ie_len >= (int) sizeof(*wnmsleep_ie) - 2) wnmsleep_ie = (struct wnm_sleep_element *) pos; else if (*pos == WLAN_EID_TFS_REQ) { if (!tfsreq_ie_start)