WNM: Fix WNM-Sleep Mode Request parsing for WNM-Sleep element

The length of the WNM-Sleep element was not verified before using it.
This could result in reading the subfields in this element (total of
four octets) beyond the end of the buffer. Fix this by ignoring the
element if it is not long enough to contain all the subfields.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/wnm_ap.c b/src/ap/wnm_ap.c
index 41d50cebfbe0ab35c5ebd9ca57a441c470fceab0..31d6ffcd739d03cfedc9512186131b3a9be0452a 100644 (file)
--- a/src/ap/wnm_ap.c
+++ b/src/ap/wnm_ap.c
@@ -207,7 +207,8 @@ static void ieee802_11_rx_wnmsleep_req(struct hostapd_data *hapd,
                u8 ie_len = pos[1];
                if (pos + 2 + ie_len > frm + len)
                        break;
-               if (*pos == WLAN_EID_WNMSLEEP)
+               if (*pos == WLAN_EID_WNMSLEEP &&
+                   ie_len >= (int) sizeof(*wnmsleep_ie) - 2)
                        wnmsleep_ie = (struct wnm_sleep_element *) pos;
                else if (*pos == WLAN_EID_TFS_REQ) {
                        if (!tfsreq_ie_start)