[automerger] WNM: Fix WNM-Sleep Mode Request bounds checking am: 7a543744db
Change-Id: I5dff3d2d27866f6e8b353c22d04e75dcaa5aadf9
diff --git a/src/ap/wnm_ap.c b/src/ap/wnm_ap.c
index 41d50ce..02daa9b 100644
--- a/src/ap/wnm_ap.c
+++ b/src/ap/wnm_ap.c
@@ -202,6 +202,13 @@
u8 *tfsreq_ie_end = NULL;
u16 tfsreq_ie_len = 0;
+ if (len < 1) {
+ wpa_printf(MSG_DEBUG,
+ "WNM: Ignore too short WNM-Sleep Mode Request from "
+ MACSTR, MAC2STR(addr));
+ return;
+ }
+
dialog_token = *pos++;
while (pos + 1 < frm + len) {
u8 ie_len = pos[1];