Fix buffer overflow in 802.11 decryption
The sha1 function outputs a multiple of 20 bytes while the ptk buffer
has only a size of 64 bytes. Follow the hint in 802.11i-2004, page 164
and use an output buffer of 80 octets.
Noticed when running Wireshark with ASAN, on exit it would try to free a
"next" pointer which was filled with sha1 garbage. It probably got
triggered via 3f8fbb7349
which made
AirPDcap responsible for managing its own memory.
Bug: 10849
Change-Id: I10c1b9c2e224e5571d746c01fc389f86d25994a1
Reviewed-on: https://code.wireshark.org/review/7645
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
parent
90797b95a0
commit
b5d062ba57
|
@ -1737,7 +1737,8 @@ AirPDcapGetBssidAddress(
|
|||
}
|
||||
}
|
||||
|
||||
/* Function used to derive the PTK. Refer to IEEE 802.11I-2004, pag. 74 */
|
||||
/* Function used to derive the PTK. Refer to IEEE 802.11I-2004, pag. 74
|
||||
* and IEEE 802.11i-2004, pag. 164 */
|
||||
static void
|
||||
AirPDcapRsnaPrfX(
|
||||
AIRPDCAP_SEC_ASSOCIATION *sa,
|
||||
|
@ -1749,6 +1750,7 @@ AirPDcapRsnaPrfX(
|
|||
UINT8 i;
|
||||
UCHAR R[100];
|
||||
INT offset=sizeof("Pairwise key expansion");
|
||||
UCHAR output[80]; /* allow for sha1 overflow. */
|
||||
|
||||
memset(R, 0, 100);
|
||||
|
||||
|
@ -1785,8 +1787,9 @@ AirPDcapRsnaPrfX(
|
|||
for(i = 0; i < (x+159)/160; i++)
|
||||
{
|
||||
R[offset] = i;
|
||||
sha1_hmac(pmk, 32, R, 100, ptk + i * 20);
|
||||
sha1_hmac(pmk, 32, R, 100, &output[20 * i]);
|
||||
}
|
||||
memcpy(ptk, output, x/8);
|
||||
}
|
||||
|
||||
static INT
|
||||
|
|
Loading…
Reference in New Issue