diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2015-11-28 01:24:12 +0100 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2015-11-28 10:05:47 +0000 |
| commit | bf1fa88dee15366037f1caeb71ffe70ee870ea35 (patch) | |
| tree | 7f81ac15020d20bc1ac0c3d16713233de95be539 | |
| parent | 68c9cc0419dcb69b54378a95fe5c76214a888882 (diff) | |
| download | wireshark-bf1fa88dee15366037f1caeb71ffe70ee870ea35.tar.gz | |
Add boundary check for 802.11 decryption
Fixed stack-based buffer overflow when the frame length exceeds 8KB.
Bug: 11790
Change-Id: I20db8901765a7660e587057e955d4fb5a8645574
Reviewed-on: https://code.wireshark.org/review/12237
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
(cherry picked from commit 40b283181c63cb28bc6f58d80315eccca6650da0)
[resolved conflict by accepting comments from v2.1.0rc0-764-g9cd66b2]
Reviewed-on: https://code.wireshark.org/review/12246
| -rw-r--r-- | epan/crypt/airpdcap.c | 6 | ||||
| -rw-r--r-- | epan/crypt/airpdcap_system.h | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index a5cc0fdf4e..065fb10fb2 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -654,6 +654,12 @@ INT AirPDcapPacketProcess( return AIRPDCAP_RET_WRONG_DATA_SIZE; } + /* Assume that the decrypt_data field is at least this size. */ + if (tot_len > AIRPDCAP_MAX_CAPLEN) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3); + return AIRPDCAP_RET_UNSUCCESS; + } + /* get BSSID */ if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) { memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN); diff --git a/epan/crypt/airpdcap_system.h b/epan/crypt/airpdcap_system.h index 08405fda21..172d4a49d5 100644 --- a/epan/crypt/airpdcap_system.h +++ b/epan/crypt/airpdcap_system.h @@ -181,8 +181,10 @@ extern "C" { * @param data_off [IN] Payload offset (aka the MAC header length) * @param data_len [IN] Total length of the MAC header and the payload * @param decrypt_data [OUT] Pointer to a buffer that will contain - * decrypted data - * @param decrypt_len [OUT] Length of decrypted data + * decrypted data. If this parameter is set to NULL, decrypted data will + * be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes. + * @param decrypt_len [OUT] Length of decrypted data if decrypt_data + * is not NULL. * @param key [OUT] Pointer to a preallocated key structure containing * the key used during the decryption process (if done). If this parameter * is set to NULL, the key will be not returned. |