Check whether mcs_index is sane, not just whether it's set.

Don't just check whether we *have* the MCS index, check whether it's a
valid MCS index, before we use it in calculations.  Otherwise, we'll
make out-of-bounds array accesses.

(May or may not fix bug 12085, so just Ping-Bug for now.  It's necessary
in any case.)

Change-Id: I7119366397b260089aea35ae9fcd5ad9ec6b06f2
Ping-Bug: 12085
Reviewed-on: https://code.wireshark.org/review/13790
Reviewed-by: Guy Harris <guy@alum.mit.edu>

1 files changed, 3 insertions, 1 deletions

diff --git a/epan/dissectors/packet-ieee80211-radio.c b/epan/dissectors/packet-ieee80211-radio.c
index 2d09e656ce..3f11c74783 100644
--- a/epan/dissectors/packet-ieee80211-radio.c
+++ b/epan/dissectors/packet-ieee80211-radio.c
@@ -709,9 +709,11 @@ dissect_wlan_radio (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void
           gboolean fec;
 
           /*
-           * If we don't have necessary fields, then bail.
+           * If we don't have necessary fields, or if we have them but
+           * they have invalid values, then bail.
            */
           if (!info_n->has_mcs_index ||
+            info_n->mcs_index >= MAX_MCS_INDEX ||
             !info_n->has_bandwidth ||
             !info_n->has_short_gi)
               break;