WNM: Add testing option to reject BSS Transition Management Request

[mech_eap.git] / wlantest / rx_tdls.c

diff --git a/wlantest/rx_tdls.c b/wlantest/rx_tdls.c
index d9247c1..0c012a9 100644 (file)
--- a/wlantest/rx_tdls.c
+++ b/wlantest/rx_tdls.c
@@ -142,11 +142,12 @@ static int tdls_verify_mic(struct wlantest *wt, struct wlantest_tdls *tdls,
        struct rsn_ftie *tmp_ftie;
 
        if (elems->link_id == NULL || elems->rsn_ie == NULL ||
-           elems->timeout_int == NULL || elems->ftie == NULL)
+           elems->timeout_int == NULL || elems->ftie == NULL ||
+           elems->ftie_len < sizeof(struct rsn_ftie))
                return -1;
 
        len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + elems->rsn_ie_len +
-               2 + elems->timeout_int_len + 2 + elems->ftie_len;
+               2 + 5 + 2 + elems->ftie_len;
 
        buf = os_zalloc(len);
        if (buf == NULL)
@@ -168,8 +169,8 @@ static int tdls_verify_mic(struct wlantest *wt, struct wlantest_tdls *tdls,
        os_memcpy(pos, elems->rsn_ie - 2, 2 + elems->rsn_ie_len);
        pos += 2 + elems->rsn_ie_len;
        /* 6) Timeout Interval IE */
-       os_memcpy(pos, elems->timeout_int - 2, 2 + elems->timeout_int_len);
-       pos += 2 + elems->timeout_int_len;
+       os_memcpy(pos, elems->timeout_int - 2, 2 + 5);
+       pos += 2 + 5;
        /* 7) FTIE, with the MIC field of the FTIE set to 0 */
        os_memcpy(pos, elems->ftie - 2, 2 + elems->ftie_len);
        pos += 2;
@@ -488,7 +489,8 @@ static int tdls_verify_mic_teardown(struct wlantest *wt,
        const struct rsn_ftie *rx_ftie;
        struct rsn_ftie *tmp_ftie;
 
-       if (elems->link_id == NULL || elems->ftie == NULL)
+       if (elems->link_id == NULL || elems->ftie == NULL ||
+           elems->ftie_len < sizeof(struct rsn_ftie))
                return -1;
 
        len = 2 + 18 + 2 + 1 + 1 + 2 + elems->ftie_len;