forked from osmocom/wireshark
Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
A pointer to a EAPOL_RSN_KEY is set on the packet presuming the whole EAPOL_RSN_KEY is there. That's not always the case for fuzzed/malicious captures. Bug: 11585 Change-Id: Ib94b8aceef444c7820e43b969596efdb8dbecccd Reviewed-on: https://code.wireshark.org/review/15540 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
b831f251ef
commit
9b0b20b8d5
|
@ -571,7 +571,7 @@ static INT AirPDcapScanForKeys(
|
|||
|
||||
/* get and check the body length (IEEE 802.1X-2004, pg. 25) */
|
||||
bodyLength=pntoh16(data+offset+2);
|
||||
if ((tot_len-offset-4) < bodyLength) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
|
||||
if (((tot_len-offset-4) < bodyLength) || (bodyLength < sizeof(EAPOL_RSN_KEY))) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
|
||||
AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForKeys", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
|
||||
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue