Browse Source

FST: Validate STIE header in FST Setup Request/Response

While this is always supposed to be the first element, check that this
is indeed the case instead of blindly using values from within the
element.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 9 years ago
parent
commit
b019955297
1 changed files with 12 additions and 0 deletions
  1. 12 0
      src/fst/fst_session.c

+ 12 - 0
src/fst/fst_session.c

@@ -376,6 +376,12 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
 	plen = frame_len - IEEE80211_HDRLEN - 1;
 	req = (const struct fst_setup_req *)
 		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+	if (req->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+	    req->stie.length < 11) {
+		fst_printf_iface(iface, MSG_WARNING,
+				 "FST Request dropped: invalid STIE");
+		return;
+	}
 
 	if (req->stie.new_band_id == req->stie.old_band_id) {
 		fst_printf_iface(iface, MSG_WARNING,
@@ -539,6 +545,12 @@ static void fst_session_handle_setup_response(struct fst_session *s,
 	}
 	res = (const struct fst_setup_res *)
 		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+	if (res->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+	    res->stie.length < 11) {
+		fst_printf_iface(iface, MSG_WARNING,
+				 "FST Response dropped: invalid STIE");
+		return;
+	}
 
 	if (res->dialog_token != s->data.pending_setup_req_dlgt)  {
 		fst_printf_session(s, MSG_WARNING,