diff options
author | Evan Huus <eapache@gmail.com> | 2013-10-01 13:07:25 +0000 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2013-10-01 13:07:25 +0000 |
commit | 3955de8abf0fb3870d1bf1e69e1ca9299b0442f0 (patch) | |
tree | 9db721b07d53054ec937413e4fb753b187aa7f73 | |
parent | 55371ca87db45d0e7463cfba3e57c3ef3a742d50 (diff) | |
download | wireshark-3955de8abf0fb3870d1bf1e69e1ca9299b0442f0.tar.gz |
Add some additional checks around the radiotap iterator initialization, to fix
the invalid access errors in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9212
(also add modelines)
svn path=/trunk/; revision=52311
-rw-r--r-- | epan/dissectors/packet-ieee80211-radiotap-iter.c | 17 | ||||
-rw-r--r-- | epan/dissectors/packet-ieee80211-radiotap.c | 3 |
2 files changed, 19 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ieee80211-radiotap-iter.c b/epan/dissectors/packet-ieee80211-radiotap-iter.c index f6f0b94450..895155f5b9 100644 --- a/epan/dissectors/packet-ieee80211-radiotap-iter.c +++ b/epan/dissectors/packet-ieee80211-radiotap-iter.c @@ -74,7 +74,7 @@ static const struct ieee80211_radiotap_namespace radiotap_ns = { */ #define ITERATOR_VALID(iterator, size) \ (((iterator)->_arg + (size) - (unsigned char *)((iterator)->_rtheader)) <= \ - (ptrdiff_t)(iterator)->_max_length) + (ptrdiff_t)((iterator)->_max_length - sizeof(guint32))) /** * ieee80211_radiotap_iterator_init - radiotap parser iterator initialization @@ -145,6 +145,8 @@ int ieee80211_radiotap_iterator_init( #endif /* find payload start allowing for extended bitmap(s) */ + if (!ITERATOR_VALID(iterator, 0)) + return -EINVAL; if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) { while (get_unaligned_le32(iterator->_arg) & @@ -403,3 +405,16 @@ int ieee80211_radiotap_iterator_next( return 0; } } + +/* + * Editor modelines - http://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ diff --git a/epan/dissectors/packet-ieee80211-radiotap.c b/epan/dissectors/packet-ieee80211-radiotap.c index 8e91dfadf7..fd5a586b4a 100644 --- a/epan/dissectors/packet-ieee80211-radiotap.c +++ b/epan/dissectors/packet-ieee80211-radiotap.c @@ -1028,6 +1028,9 @@ dissect_radiotap(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree) tvb, 2, 2, length); } + if (length < sizeof(struct ieee80211_radiotap_header)) { + length = sizeof(struct ieee80211_radiotap_header); + } data = tvb_memdup(wmem_packet_scope(), tvb, 0, length); if (!data) return; |