WNM: Verify WNM Sleep Mode element length

This element is required to have at least four octets of actual payload.
This was not previously verified before use and the extra buffer data
after the IE might have been used instead if a received WNM-Sleep Mode
Response frame was invalid.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 6e3dd5c3e68a4825407ed304f8c3d1dedcb0a77d..1f627ba37a2ab60d44c34789be7554784a00e258 100644 (file)
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -268,7 +268,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
                        break;
                }
                wpa_hexdump(MSG_DEBUG, "WNM: Element", pos, 2 + ie_len);
-               if (*pos == WLAN_EID_WNMSLEEP)
+               if (*pos == WLAN_EID_WNMSLEEP && ie_len >= 4)
                        wnmsleep_ie = (struct wnm_sleep_element *) pos;
                else if (*pos == WLAN_EID_TFS_RESP) {
                        if (!tfsresp_ie_start)