osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

[airpdcap] check the length of the WPA broadcast key we calculated 

return an error if our key is shorter than the key type required for the
encryption method we detected

this check prevents an out-of-bounds memory access when the key is copied

Bug: 11826
Change-Id: Ic779b5d87aa97a3b2d2b2c92ce12d0fff4a85adc
Reviewed-on: https://code.wireshark.org/review/12743
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
Martin Kaiser 2015-12-20 15:47:28 +01:00 committed by Michael Mann
parent fa24207d34
commit 83f2818118
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
epan/crypt/airpdcap.c
View File

@ -440,6 +440,10 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
}
key_len = (sa->wpa.key_ver==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)?TKIP_GROUP_KEY_LEN:CCMP_GROUP_KEY_LEN;
if (key_len > key_bytes_len) {
/* the key required for this protocol is longer than the key that we just calculated */
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
}
/* Decrypted key is now in szEncryptedKey with len of key_len */
DEBUG_DUMP("Broadcast key:", szEncryptedKey, key_len);