diff options
| author | Gerald Combs <gerald@wireshark.org> | 2018-02-20 11:48:11 -0800 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2018-02-21 01:05:29 +0000 |
| commit | 9c5803ff7618002b8d18cfcd65fa44ec20fb1c76 (patch) | |
| tree | 33409ac255fd773c5e8967f5e9cc8395bee5bb54 | |
| parent | c9a081c3dcf1d66d1117a67b45e7ad7fcf9e065f (diff) | |
Airpdcap: Add length checks.
Make sure we don't underflow length values.
Bug: 14442
Change-Id: I71baac428ba3b07fe4cd5a7f60fbe2a957ac460e
Reviewed-on: https://code.wireshark.org/review/25937
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
| -rw-r--r-- | epan/crypt/airpdcap.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index 5d86631625..78a6d6647a 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -444,6 +444,11 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption_ } if (key_found){ + if (decrypted_data[key_index+1] <= 6) { + g_free(decrypted_data); + g_free(szEncryptedKey); + return AIRPDCAP_RET_NO_VALID_HANDSHAKE; + } key_length = decrypted_data[key_index+1] - 6; if (key_index+8 >= key_bytes_len || @@ -2202,6 +2207,7 @@ AirPDcapTDLSDeriveKey( guint8 zeros[16] = { 0 }; gcry_mac_hd_t cmac_handle; size_t cmac_len = 16; + size_t cmac_write_len; #endif /* Get key input */ @@ -2263,7 +2269,13 @@ AirPDcapTDLSDeriveKey( gcry_mac_write(cmac_handle, &data[offset_timeout], data[offset_timeout + 1] + 2); gcry_mac_write(cmac_handle, &data[offset_fte], 4); gcry_mac_write(cmac_handle, zeros, 16); - gcry_mac_write(cmac_handle, &data[offset_fte + 20], data[offset_fte + 1] + 2 - 20); + cmac_write_len = data[offset_fte + 1] + 2; + if (cmac_write_len < 20) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapTDLSDeriveKey", "Bad MAC len", AIRPDCAP_DEBUG_LEVEL_3); + gcry_mac_close(cmac_handle); + return AIRPDCAP_RET_UNSUCCESS; + } + gcry_mac_write(cmac_handle, &data[offset_fte + 20], cmac_write_len - 20); if (gcry_mac_read(cmac_handle, mic, &cmac_len) != GPG_ERR_NO_ERROR) { AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapTDLSDeriveKey", "MAC read error", AIRPDCAP_DEBUG_LEVEL_3); gcry_mac_close(cmac_handle); |