Add boundary check for 802.11 decryption

Fixed stack-based buffer overflow when the frame length exceeds 8KB. Bug: 11790 Change-Id: I20db8901765a7660e587057e955d4fb5a8645574 Reviewed-on: https://code.wireshark.org/review/12237 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2015-11-28 01:24:12 +01:00 · 2015-11-28 01:24:12 +01:00 · 40b283181c
parent 38c53f9800
commit 40b283181c
2 changed files with 7 additions and 1 deletions
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@ -663,6 +663,12 @@ INT AirPDcapPacketProcess(
        return AIRPDCAP_RET_WRONG_DATA_SIZE;
    }

+    /* Assume that the decrypt_data field is at least this size. */
+    if (tot_len > AIRPDCAP_MAX_CAPLEN) {
+        AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3);
+        return AIRPDCAP_RET_UNSUCCESS;
+    }
+
    /* get BSSID */
    if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
        memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);
--- a/epan/crypt/airpdcap_system.h
+++ b/epan/crypt/airpdcap_system.h
@ -183,7 +183,7 @@ extern "C" {
 * @param data_len [IN] Total length of the MAC header and the payload
 * @param decrypt_data [OUT] Pointer to a buffer that will contain
 *   decrypted data. If this parameter is set to NULL, decrypted data will
- *   be discarded.
+ *   be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes.
 * @param decrypt_len [OUT] Length of decrypted data if decrypt_data
 *   is not NULL.
 * @param key [OUT] Pointer to a preallocated key structure containing