2 files changed, 10 insertions, 2 deletions

diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index a5cc0fdf4e..065fb10fb2 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -654,6 +654,12 @@ INT AirPDcapPacketProcess(
         return AIRPDCAP_RET_WRONG_DATA_SIZE;
     }
 
+    /* Assume that the decrypt_data field is at least this size. */
+    if (tot_len > AIRPDCAP_MAX_CAPLEN) {
+        AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3);
+        return AIRPDCAP_RET_UNSUCCESS;
+    }
+
     /* get BSSID */
     if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
         memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);
diff --git a/epan/crypt/airpdcap_system.h b/epan/crypt/airpdcap_system.h
index 08405fda21..172d4a49d5 100644
--- a/epan/crypt/airpdcap_system.h
+++ b/epan/crypt/airpdcap_system.h
@@ -181,8 +181,10 @@ extern "C" {
  * @param data_off [IN] Payload offset (aka the MAC header length)
  * @param data_len [IN] Total length of the MAC header and the payload
  * @param decrypt_data [OUT] Pointer to a buffer that will contain
- *   decrypted data
- * @param decrypt_len [OUT] Length of decrypted data
+ *   decrypted data. If this parameter is set to NULL, decrypted data will
+ *   be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes.
+ * @param decrypt_len [OUT] Length of decrypted data if decrypt_data
+ *   is not NULL.
  * @param key [OUT] Pointer to a preallocated key structure containing
  *   the key used during the decryption process (if done). If this parameter
  *   is set to NULL, the key will be not returned.