Don't try to decrypt with an AES key shorter than 128 bits.

AES keys must be at least 128 bits; AES_unwrap returns a null pointer if handed a too-short key, and we then just dereference that null pointer and crash. Just give up with a too-short key. Bug: 11507 Change-Id: Id1cf0a43c608597a11ff9df40f3654e6ff30619d Reviewed-on: https://code.wireshark.org/review/10422 Reviewed-by: Guy Harris <guy@alum.mit.edu>
author: Guy Harris <guy@alum.mit.edu> 2015-09-07 17:46:03 -0700
committer: Guy Harris <guy@alum.mit.edu> 2015-09-08 00:46:41 +0000
commit: 44a0bafd15a8d1e606f87198f679a5fec1a4bfd2 (patch)
tree: e8a6ed0da5090e4ab840097debccde148df639fb /epan/crypt
parent: f6d0e0946e140591afaf50a7a561679d3c4c2442 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index 0f295cde53..659c8075b4 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -328,6 +328,11 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8  *decryption
     }else if (key_version == AIRPDCAP_WPA_KEY_VER_AES_CCMP){
         /* AES */
         key_bytes_len = pntoh16(pEAPKey->key_data_len);
+
+        /* AES keys must be at least 128 bits = 16 bytes. */
+        if (key_bytes_len < 16) {
+            return;
+        }
     }
 
     if (key_bytes_len > TKIP_GROUP_KEYBYTES_LEN_MAX || key_bytes_len == 0) { /* Don't read past the end of pEAPKey->ie */
author	Guy Harris <guy@alum.mit.edu>	2015-09-07 17:46:03 -0700
committer	Guy Harris <guy@alum.mit.edu>	2015-09-08 00:46:41 +0000
commit	44a0bafd15a8d1e606f87198f679a5fec1a4bfd2 (patch)
tree	e8a6ed0da5090e4ab840097debccde148df639fb /epan/crypt
parent	f6d0e0946e140591afaf50a7a561679d3c4c2442 (diff)