[airpdcap] check the length of the WPA broadcast key we calculated

return an error if our key is shorter than the key type required for the encryption method we detected this check prevents an out-of-bounds memory access when the key is copied Bug: 11826 Change-Id: Ic779b5d87aa97a3b2d2b2c92ce12d0fff4a85adc Reviewed-on: https://code.wireshark.org/review/12743 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Martin Kaiser <wireshark@kaiser.cx> 2015-12-20 15:47:28 +0100
committer: Michael Mann <mmann78@netscape.net> 2015-12-21 05:10:17 +0000
commit: 83f2818118ae255db949bb3a4b3a26ebd1c5f7c5 (patch)
tree: 36694ad230bbd334d8b19b5e869a5e3f9f140e35
parent: fa24207d34c434a86461938c654cdaab0d9d00fa (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index 27eebba285..dcf448138e 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -440,6 +440,10 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8  *decryption
     }
 
     key_len = (sa->wpa.key_ver==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)?TKIP_GROUP_KEY_LEN:CCMP_GROUP_KEY_LEN;
+    if (key_len > key_bytes_len) {
+        /* the key required for this protocol is longer than the key that we just calculated */
+        return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
+    }
 
     /* Decrypted key is now in szEncryptedKey with len of key_len */
     DEBUG_DUMP("Broadcast key:", szEncryptedKey, key_len);
author	Martin Kaiser <wireshark@kaiser.cx>	2015-12-20 15:47:28 +0100
committer	Michael Mann <mmann78@netscape.net>	2015-12-21 05:10:17 +0000
commit	83f2818118ae255db949bb3a4b3a26ebd1c5f7c5 (patch)
tree	36694ad230bbd334d8b19b5e869a5e3f9f140e35
parent	fa24207d34c434a86461938c654cdaab0d9d00fa (diff)