diff options
| author | Michael Mann <mmann78@netscape.net> | 2016-05-22 20:21:17 -0400 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2016-05-23 08:04:46 +0000 |
| commit | 9b0b20b8d5f8c9f7839d58ff6c5900f7e19283b4 (patch) | |
| tree | 0c7c9887969db56ff0d0df2c718c5dfda8a359bd /epan/crypt | |
| parent | b831f251eff85c7cc32085bde5bc789f848a301f (diff) | |
| download | wireshark-9b0b20b8d5f8c9f7839d58ff6c5900f7e19283b4.tar.gz | |
Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
A pointer to a EAPOL_RSN_KEY is set on the packet presuming the
whole EAPOL_RSN_KEY is there. That's not always the case for
fuzzed/malicious captures.
Bug: 11585
Change-Id: Ib94b8aceef444c7820e43b969596efdb8dbecccd
Reviewed-on: https://code.wireshark.org/review/15540
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/crypt')
| -rw-r--r-- | epan/crypt/airpdcap.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index dd948a0d1d..1212cdde7c 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -571,7 +571,7 @@ static INT AirPDcapScanForKeys( /* get and check the body length (IEEE 802.1X-2004, pg. 25) */ bodyLength=pntoh16(data+offset+2); - if ((tot_len-offset-4) < bodyLength) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */ + if (((tot_len-offset-4) < bodyLength) || (bodyLength < sizeof(EAPOL_RSN_KEY))) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */ AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForKeys", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3); return AIRPDCAP_RET_NO_VALID_HANDSHAKE; } |