From: Jouni Malinen <j@w1.fi>
Date: Sun, 26 Jul 2015 07:54:58 +0000 (+0300)
Subject: FST: Validate STIE header in FST Setup Request/Response
X-Git-Tag: hostap_2_5~313
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0199552973eb349dbf9cad165484070a3b2434b;p=thirdparty%2Fhostap.git

FST: Validate STIE header in FST Setup Request/Response

While this is always supposed to be the first element, check that this
is indeed the case instead of blindly using values from within the
element.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/fst/fst_session.c b/src/fst/fst_session.c
index ac49fcf83..7a4d6db97 100644
--- a/src/fst/fst_session.c
+++ b/src/fst/fst_session.c
@@ -376,6 +376,12 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
 	plen = frame_len - IEEE80211_HDRLEN - 1;
 	req = (const struct fst_setup_req *)
 		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+	if (req->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+	    req->stie.length < 11) {
+		fst_printf_iface(iface, MSG_WARNING,
+				 "FST Request dropped: invalid STIE");
+		return;
+	}
 
 	if (req->stie.new_band_id == req->stie.old_band_id) {
 		fst_printf_iface(iface, MSG_WARNING,
@@ -539,6 +545,12 @@ static void fst_session_handle_setup_response(struct fst_session *s,
 	}
 	res = (const struct fst_setup_res *)
 		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+	if (res->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+	    res->stie.length < 11) {
+		fst_printf_iface(iface, MSG_WARNING,
+				 "FST Response dropped: invalid STIE");
+		return;
+	}
 
 	if (res->dialog_token != s->data.pending_setup_req_dlgt)  {
 		fst_printf_session(s, MSG_WARNING,