From 7db3021f5966a84443426e2b6e56a68b05ecd483 Mon Sep 17 00:00:00 2001
From: Pascal Quantin <pascal.quantin@gmail.com>
Date: Mon, 22 Jun 2015 15:14:46 -0700
Subject: IEEE 802.11: add an expert info when tag length value is bigger than
 remaining payload

Bug: 11298
Change-Id: I18082a15fbeaa843099741511292eec19acf94b9
Reviewed-on: https://code.wireshark.org/review/9033
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
---
 epan/dissectors/packet-ieee80211.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c
index 319c27f8ea..5c97e76760 100644
--- a/epan/dissectors/packet-ieee80211.c
+++ b/epan/dissectors/packet-ieee80211.c
@@ -13973,6 +13973,10 @@ add_tagged_field(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int offset
 
   ti_tag = proto_tree_add_item(tree, hf_ieee80211_tag_number, tvb, offset, 1, ENC_BIG_ENDIAN);
   ti_len = proto_tree_add_uint(tree, hf_ieee80211_tag_length, tvb, offset + 1, 1, tag_len);
+  if (tag_len > (guint)tvb_reported_length_remaining(tvb, offset)) {
+    expert_add_info_format(pinfo, ti_len, &ei_ieee80211_tag_length,
+                           "Tag Length is longer than remaining payload");
+  }
 
   switch (tag_no) {
   case TAG_SSID:
-- 
cgit v1.2.1