diff options
author | Peter Wu <peter@lekensteyn.nl> | 2015-03-11 19:31:56 +0100 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2015-03-11 22:47:40 +0000 |
commit | b5d062ba57efd4b78f83518ac868fcb25d9bc243 (patch) | |
tree | e035379ed08f032057df099f23621869135c213a /epan/ftypes | |
parent | 90797b95a02a2ab3c2790e17e999cbf1552daee8 (diff) |
Fix buffer overflow in 802.11 decryption
The sha1 function outputs a multiple of 20 bytes while the ptk buffer
has only a size of 64 bytes. Follow the hint in 802.11i-2004, page 164
and use an output buffer of 80 octets.
Noticed when running Wireshark with ASAN, on exit it would try to free a
"next" pointer which was filled with sha1 garbage. It probably got
triggered via 3f8fbb734915aaf74eb006898e8fabb007afbf48 which made
AirPDcap responsible for managing its own memory.
Bug: 10849
Change-Id: I10c1b9c2e224e5571d746c01fc389f86d25994a1
Reviewed-on: https://code.wireshark.org/review/7645
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/ftypes')
0 files changed, 0 insertions, 0 deletions