From Jouni Malinen:

ieee80211: Verify ANQP info header

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6339

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@39005 f5534014-38df-0310-8fa8-9805f1628bb7

1 files changed, 10 insertions, 0 deletions

diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c
index 4c36b7f93a..003849b48a 100644
--- a/epan/dissectors/packet-ieee80211.c
+++ b/epan/dissectors/packet-ieee80211.c
@@ -3483,6 +3483,11 @@ dissect_anqp(proto_tree *tree, tvbuff_t *tvb, int offset, gboolean request)
   proto_tree_add_text(tree, tvb, offset, 4,
                       request ? "Access Network Query Protocol Request" :
                       "Access Network Query Protocol Response");
+  if (tvb_reported_length_remaining(tvb, offset) < 4) {
+    expert_add_info_format(g_pinfo, tree, PI_MALFORMED, PI_ERROR,
+                           "Not enough room for ANQP header");
+    return;
+  }
   proto_tree_add_item(tree, hf_ieee80211_ff_anqp_info_id,
                       tvb, offset, 2, TRUE);
   id = tvb_get_letohs(tvb, offset);
@@ -3491,6 +3496,11 @@ dissect_anqp(proto_tree *tree, tvbuff_t *tvb, int offset, gboolean request)
                       tvb, offset, 2, TRUE);
   len = tvb_get_letohs(tvb, offset);
   offset += 2;
+  if (tvb_reported_length_remaining(tvb, offset) < len) {
+    expert_add_info_format(g_pinfo, tree, PI_MALFORMED, PI_ERROR,
+                           "Invalid ANQP Info length");
+    return;
+  }
   switch (id)
   {
   case ANQP_INFO_ANQP_VENDOR_SPECIFIC_LIST: