diff options
-rw-r--r-- | epan/crypt/airpdcap.c | 6 | ||||
-rw-r--r-- | epan/crypt/airpdcap_system.h | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index a5cc0fdf4e..065fb10fb2 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -654,6 +654,12 @@ INT AirPDcapPacketProcess( return AIRPDCAP_RET_WRONG_DATA_SIZE; } + /* Assume that the decrypt_data field is at least this size. */ + if (tot_len > AIRPDCAP_MAX_CAPLEN) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3); + return AIRPDCAP_RET_UNSUCCESS; + } + /* get BSSID */ if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) { memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN); diff --git a/epan/crypt/airpdcap_system.h b/epan/crypt/airpdcap_system.h index 08405fda21..172d4a49d5 100644 --- a/epan/crypt/airpdcap_system.h +++ b/epan/crypt/airpdcap_system.h @@ -181,8 +181,10 @@ extern "C" { * @param data_off [IN] Payload offset (aka the MAC header length) * @param data_len [IN] Total length of the MAC header and the payload * @param decrypt_data [OUT] Pointer to a buffer that will contain - * decrypted data - * @param decrypt_len [OUT] Length of decrypted data + * decrypted data. If this parameter is set to NULL, decrypted data will + * be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes. + * @param decrypt_len [OUT] Length of decrypted data if decrypt_data + * is not NULL. * @param key [OUT] Pointer to a preallocated key structure containing * the key used during the decryption process (if done). If this parameter * is set to NULL, the key will be not returned. |