Fix another heap-based bufffer overflow.
The S1 code works similarly to the S2/S3 code, and has the same issue. Change-Id: I288e30ccdf67d8a6daec8c8428c0f703e18ecc89 Reviewed-on: https://code.wireshark.org/review/14127 Reviewed-by: Guy Harris <guy@alum.mit.edu>
This commit is contained in:
parent
75a522e678
commit
40fe88daf4
|
@ -1025,22 +1025,19 @@ static gboolean vwr_read_s1_W_rec(vwr_t *vwr, struct wtap_pkthdr *phdr,
|
|||
sig_ts = 0;
|
||||
|
||||
/*
|
||||
* We also copy over 16 bytes of PLCP header + 1 byte of L1P for user
|
||||
* Fill up the per-packet header.
|
||||
*
|
||||
* We also zero out 16 bytes PLCP header and 1 byte of L1P for user
|
||||
* position.
|
||||
*
|
||||
* XXX - for S1, do we even have that? The current Veriwave dissector
|
||||
* just blindly assumes there's a 17-byte blob before the 802.11
|
||||
* header.
|
||||
*/
|
||||
actual_octets = actual_octets + 17;
|
||||
|
||||
/*
|
||||
* Fill up the per-packet header.
|
||||
* header, which is why we fill in those extra zero bytes.
|
||||
*
|
||||
* We include the length of the metadata headers in the packet lengths.
|
||||
*/
|
||||
phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets;
|
||||
phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets;
|
||||
phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 1 + 16 + actual_octets;
|
||||
phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 1 + 16 + actual_octets;
|
||||
|
||||
phdr->ts.secs = (time_t)s_sec;
|
||||
phdr->ts.nsecs = (int)(s_usec * 1000);
|
||||
|
@ -1148,7 +1145,12 @@ static gboolean vwr_read_s1_W_rec(vwr_t *vwr, struct wtap_pkthdr *phdr,
|
|||
phtolel(&data_ptr[bytes_written], errors);
|
||||
bytes_written += 4;
|
||||
|
||||
/* No VHT, no VHT NDP flag, so just zero. */
|
||||
/*
|
||||
* No VHT, no VHT NDP flag, so just zero.
|
||||
*
|
||||
* XXX - is this supposed to be the RX L1 info, i.e. the "1 byte of L1P
|
||||
* for user position"?
|
||||
*/
|
||||
data_ptr[bytes_written] = 0;
|
||||
bytes_written += 1;
|
||||
|
||||
|
|
Loading…
Reference in New Issue