Add another buffer length check to group key decryption.

svn path=/trunk/; revision=26071
2008-08-25 15:26:15 +00:00 · 2008-08-25 15:26:15 +00:00 · ab689cc334
parent f31f3f6d14
commit ab689cc334
1 changed files with 6 additions and 0 deletions
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@ -459,6 +459,7 @@ AirPDcapGetSaPtr(
 	return &ctx->sa[sa_index];
 }

+#define GROUP_KEY_PAYLOAD_LEN (8+4+sizeof(EAPOL_RSN_KEY))
 INT AirPDcapScanForGroupKey(
    PAIRPDCAP_CONTEXT ctx,
    const guint8 *data,
@ -487,6 +488,11 @@ INT AirPDcapScanForGroupKey(

 	AIRPDCAP_DEBUG_TRACE_START("AirPDcapScanForGroupKey");

+        if (mac_header_len + GROUP_KEY_PAYLOAD_LEN < tot_len) {
+            AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Message too short", AIRPDCAP_DEBUG_LEVEL_3);
+            return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
+        }
+
 	/* cache offset in the packet data */
 	offset = mac_header_len;