osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

Make sure EAPOL body is big enough for a EAPOL_RSN_KEY. 

A pointer to a EAPOL_RSN_KEY is set on the packet presuming the
whole EAPOL_RSN_KEY is there.  That's not always the case for
fuzzed/malicious captures.

Bug: 11585
Change-Id: Ib94b8aceef444c7820e43b969596efdb8dbecccd
Reviewed-on: https://code.wireshark.org/review/15540
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
Michael Mann 2016-05-22 20:21:17 -04:00 committed by Anders Broman
parent b831f251ef
commit 9b0b20b8d5
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
epan/crypt/airpdcap.c
View File

@ -571,7 +571,7 @@ static INT AirPDcapScanForKeys(
/* get and check the body length (IEEE 802.1X-2004, pg. 25) */
bodyLength=pntoh16(data+offset+2);
if ((tot_len-offset-4) < bodyLength) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
if (((tot_len-offset-4) < bodyLength) || (bodyLength < sizeof(EAPOL_RSN_KEY))) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForKeys", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
}