[automerger] WNM: Fix WNM-Sleep Mode Request bounds checking am: 7a543744db am: 4069976836 am: 5049aa2d74 am: fa9a73bdd4 am: 778267c63d Change-Id: I2bb1064ed21795ae6bf873ddb6a5d3daa79725a2

commit: e28ce4139046d6d30927a6a1a4adcc3afa467263 [log] [tgz]
author: Android Build Merger (Role) <noreply-android-build-merger@google.com> Fri Nov 02 17:21:00 2018 +0000
committer: Android Build Merger (Role) <noreply-android-build-merger@google.com> Fri Nov 02 17:21:00 2018 +0000
tree: 3ff6777805bd1d83ef3a0761c47e71c19ca37e3c
parent: eadabf98cb7c13d7980f64a317b392c420f6b20f [diff]
parent: 778267c63d6c6cd0e4c8c37da68c3835b17886e6 [diff]
diff --git a/src/ap/wnm_ap.c b/src/ap/wnm_ap.c
index 7c4fde0..adb66c1 100644
--- a/src/ap/wnm_ap.c
+++ b/src/ap/wnm_ap.c

@@ -200,6 +200,13 @@
 	u8 *tfsreq_ie_end = NULL;
 	u16 tfsreq_ie_len = 0;
 
+	if (len < 1) {
+		wpa_printf(MSG_DEBUG,
+			   "WNM: Ignore too short WNM-Sleep Mode Request from "
+			   MACSTR, MAC2STR(addr));
+		return;
+	}
+
 	dialog_token = *pos++;
 	while (pos + 1 < frm + len) {
 		u8 ie_len = pos[1];
commit	e28ce4139046d6d30927a6a1a4adcc3afa467263	[log] [tgz]
author	Android Build Merger (Role) <noreply-android-build-merger@google.com>	Fri Nov 02 17:21:00 2018 +0000
committer	Android Build Merger (Role) <noreply-android-build-merger@google.com>	Fri Nov 02 17:21:00 2018 +0000
tree	3ff6777805bd1d83ef3a0761c47e71c19ca37e3c
parent	eadabf98cb7c13d7980f64a317b392c420f6b20f [diff]
parent	778267c63d6c6cd0e4c8c37da68c3835b17886e6 [diff]