FST: Validate STIE header in FST Setup Request/Response

While this is always supposed to be the first element, check that this
is indeed the case instead of blindly using values from within the
element.

Change-Id: Ieb197007e186f6b963ff58e3b393320cfbfca88d
Signed-off-by: Jouni Malinen <j@w1.fi>
Git-commit: b0199552973eb349dbf9cad165484070a3b2434b
Git-repo: git://w1.fi/srv/git/hostap.git
CRs-Fixed: 891455

1 files changed, 12 insertions, 0 deletions

diff --git a/src/fst/fst_session.c b/src/fst/fst_session.c
index ac49fcf8..7a4d6db9 100644
--- a/src/fst/fst_session.c
+++ b/src/fst/fst_session.c
@@ -376,6 +376,12 @@ static void fst_session_handle_setup_request(struct fst_iface *iface,
 	plen = frame_len - IEEE80211_HDRLEN - 1;
 	req = (const struct fst_setup_req *)
 		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+	if (req->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+	    req->stie.length < 11) {
+		fst_printf_iface(iface, MSG_WARNING,
+				 "FST Request dropped: invalid STIE");
+		return;
+	}
 
 	if (req->stie.new_band_id == req->stie.old_band_id) {
 		fst_printf_iface(iface, MSG_WARNING,
@@ -539,6 +545,12 @@ static void fst_session_handle_setup_response(struct fst_session *s,
 	}
 	res = (const struct fst_setup_res *)
 		(((const u8 *) mgmt) + IEEE80211_HDRLEN + 1);
+	if (res->stie.element_id != WLAN_EID_SESSION_TRANSITION ||
+	    res->stie.length < 11) {
+		fst_printf_iface(iface, MSG_WARNING,
+				 "FST Response dropped: invalid STIE");
+		return;
+	}
 
 	if (res->dialog_token != s->data.pending_setup_req_dlgt)  {
 		fst_printf_session(s, MSG_WARNING,