Check whether Ness is valid as well.

It's also used as an array index, and it also is no guaranteed to be in
the proper range in all capture files, so bounds-check it.

Make the variable's type match that of the field in the radio metadata.
(It's never negative, so it's unsigned.)

This appears to be the last of the unchecked array references from bug
12085.

Bug: 12085
Change-Id: I3e5b821a9b70dfd520d01036f6f7d02008aca200
Reviewed-on: https://code.wireshark.org/review/13806
Reviewed-by: Guy Harris <guy@alum.mit.edu>

1 files changed, 5 insertions, 1 deletions

diff --git a/epan/dissectors/packet-ieee80211-radio.c b/epan/dissectors/packet-ieee80211-radio.c
index 200ab6d3ec..c447d5540c 100644
--- a/epan/dissectors/packet-ieee80211-radio.c
+++ b/epan/dissectors/packet-ieee80211-radio.c
@@ -705,7 +705,7 @@ dissect_wlan_radio (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void
           static const guint Nhteltf[4] = {0, 1, 2, 4};
           guint Nsts, bits, Mstbc, bits_per_symbol, symbols;
           int stbc_streams;
-          int ness;
+          guint ness;
           gboolean fec;
 
           /*
@@ -755,6 +755,10 @@ dissect_wlan_radio (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void
 
           if (info_n->has_ness) {
             ness = info_n->ness;
+            if (ness >= G_N_ELEMENTS(Nhteltf)) {
+                /* Not valid */
+                break;
+            }
           } else {
             ness = 0;
             assumed_no_extension_streams = TRUE;