[airpdcap] check the length of the WPA broadcast key we calculated
return an error if our key is shorter than the key type required for the encryption method we detected this check prevents an out-of-bounds memory access when the key is copied Bug: 11826 Change-Id: Ic779b5d87aa97a3b2d2b2c92ce12d0fff4a85adc Reviewed-on: https://code.wireshark.org/review/12743 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
parent
fa24207d34
commit
83f2818118
|
@ -440,6 +440,10 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
|
|||
}
|
||||
|
||||
key_len = (sa->wpa.key_ver==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)?TKIP_GROUP_KEY_LEN:CCMP_GROUP_KEY_LEN;
|
||||
if (key_len > key_bytes_len) {
|
||||
/* the key required for this protocol is longer than the key that we just calculated */
|
||||
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
|
||||
}
|
||||
|
||||
/* Decrypted key is now in szEncryptedKey with len of key_len */
|
||||
DEBUG_DUMP("Broadcast key:", szEncryptedKey, key_len);
|
||||
|
|
Loading…
Reference in New Issue