From 2ecb5a9d52b8a9c278328cc18ae3db3584514d19 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Sun, 7 Feb 2016 12:51:28 -0800 Subject: Check whether Ness is valid as well. It's also used as an array index, and it also is no guaranteed to be in the proper range in all capture files, so bounds-check it. Make the variable's type match that of the field in the radio metadata. (It's never negative, so it's unsigned.) This appears to be the last of the unchecked array references from bug 12085. Bug: 12085 Change-Id: I3e5b821a9b70dfd520d01036f6f7d02008aca200 Reviewed-on: https://code.wireshark.org/review/13806 Reviewed-by: Guy Harris --- epan/dissectors/packet-ieee80211-radio.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'epan/dissectors') diff --git a/epan/dissectors/packet-ieee80211-radio.c b/epan/dissectors/packet-ieee80211-radio.c index 200ab6d3ec..c447d5540c 100644 --- a/epan/dissectors/packet-ieee80211-radio.c +++ b/epan/dissectors/packet-ieee80211-radio.c @@ -705,7 +705,7 @@ dissect_wlan_radio (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void static const guint Nhteltf[4] = {0, 1, 2, 4}; guint Nsts, bits, Mstbc, bits_per_symbol, symbols; int stbc_streams; - int ness; + guint ness; gboolean fec; /* @@ -755,6 +755,10 @@ dissect_wlan_radio (tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void if (info_n->has_ness) { ness = info_n->ness; + if (ness >= G_N_ELEMENTS(Nhteltf)) { + /* Not valid */ + break; + } } else { ness = 0; assumed_no_extension_streams = TRUE; -- cgit v1.2.1