diff --git a/src/ap/wnm_ap.c b/src/ap/wnm_ap.c
index d9c1690ee..27c69d34a 100644
--- a/src/ap/wnm_ap.c
+++ b/src/ap/wnm_ap.c
@@ -255,6 +255,13 @@ static void ieee802_11_rx_wnmsleep_req(struct hostapd_data *hapd,
 		return;
 	}
 
+	if (len < 1) {
+		wpa_printf(MSG_DEBUG,
+			   "WNM: Ignore too short WNM-Sleep Mode Request from "
+			   MACSTR, MAC2STR(addr));
+		return;
+	}
+
 	dialog_token = *pos++;
 	while (pos + 1 < frm + len) {
 		u8 ie_len = pos[1];