Add boundary check for 802.11 decryption
Fixed stack-based buffer overflow when the frame length exceeds 8KB. Bug: 11790 Change-Id: I20db8901765a7660e587057e955d4fb5a8645574 Reviewed-on: https://code.wireshark.org/review/12237 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This commit is contained in:
parent
38c53f9800
commit
40b283181c
|
@ -663,6 +663,12 @@ INT AirPDcapPacketProcess(
|
|||
return AIRPDCAP_RET_WRONG_DATA_SIZE;
|
||||
}
|
||||
|
||||
/* Assume that the decrypt_data field is at least this size. */
|
||||
if (tot_len > AIRPDCAP_MAX_CAPLEN) {
|
||||
AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3);
|
||||
return AIRPDCAP_RET_UNSUCCESS;
|
||||
}
|
||||
|
||||
/* get BSSID */
|
||||
if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
|
||||
memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);
|
||||
|
|
|
@ -183,7 +183,7 @@ extern "C" {
|
|||
* @param data_len [IN] Total length of the MAC header and the payload
|
||||
* @param decrypt_data [OUT] Pointer to a buffer that will contain
|
||||
* decrypted data. If this parameter is set to NULL, decrypted data will
|
||||
* be discarded.
|
||||
* be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes.
|
||||
* @param decrypt_len [OUT] Length of decrypted data if decrypt_data
|
||||
* is not NULL.
|
||||
* @param key [OUT] Pointer to a preallocated key structure containing
|
||||
|
|
Loading…
Reference in New Issue