diff options
author | Guy Harris <guy@alum.mit.edu> | 2015-09-07 17:46:03 -0700 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2015-09-08 00:46:41 +0000 |
commit | 44a0bafd15a8d1e606f87198f679a5fec1a4bfd2 (patch) | |
tree | e8a6ed0da5090e4ab840097debccde148df639fb /epan/crypt | |
parent | f6d0e0946e140591afaf50a7a561679d3c4c2442 (diff) |
Don't try to decrypt with an AES key shorter than 128 bits.
AES keys must be at least 128 bits; AES_unwrap returns a null pointer if
handed a too-short key, and we then just dereference that null pointer
and crash. Just give up with a too-short key.
Bug: 11507
Change-Id: Id1cf0a43c608597a11ff9df40f3654e6ff30619d
Reviewed-on: https://code.wireshark.org/review/10422
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'epan/crypt')
-rw-r--r-- | epan/crypt/airpdcap.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index 0f295cde53..659c8075b4 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -328,6 +328,11 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption }else if (key_version == AIRPDCAP_WPA_KEY_VER_AES_CCMP){ /* AES */ key_bytes_len = pntoh16(pEAPKey->key_data_len); + + /* AES keys must be at least 128 bits = 16 bytes. */ + if (key_bytes_len < 16) { + return; + } } if (key_bytes_len > TKIP_GROUP_KEYBYTES_LEN_MAX || key_bytes_len == 0) { /* Don't read past the end of pEAPKey->ie */ |