diff options
author | etxrab <etxrab@f5534014-38df-0310-8fa8-9805f1628bb7> | 2011-09-15 06:44:20 +0000 |
---|---|---|
committer | etxrab <etxrab@f5534014-38df-0310-8fa8-9805f1628bb7> | 2011-09-15 06:44:20 +0000 |
commit | c9b1712a3e7d0e366de05570b1f6bae2cac6e6c3 (patch) | |
tree | 3ed7168b7f2f6135e874d7c3fb2e854363c2dee4 | |
parent | d5ecc2908336ad22dd7eb2e3433004ce1b302b44 (diff) |
From Jouni Malinen:
ieee80211: Verify ANQP info header
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6339
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@39005 f5534014-38df-0310-8fa8-9805f1628bb7
-rw-r--r-- | epan/dissectors/packet-ieee80211.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c index 4c36b7f93a..003849b48a 100644 --- a/epan/dissectors/packet-ieee80211.c +++ b/epan/dissectors/packet-ieee80211.c @@ -3483,6 +3483,11 @@ dissect_anqp(proto_tree *tree, tvbuff_t *tvb, int offset, gboolean request) proto_tree_add_text(tree, tvb, offset, 4, request ? "Access Network Query Protocol Request" : "Access Network Query Protocol Response"); + if (tvb_reported_length_remaining(tvb, offset) < 4) { + expert_add_info_format(g_pinfo, tree, PI_MALFORMED, PI_ERROR, + "Not enough room for ANQP header"); + return; + } proto_tree_add_item(tree, hf_ieee80211_ff_anqp_info_id, tvb, offset, 2, TRUE); id = tvb_get_letohs(tvb, offset); @@ -3491,6 +3496,11 @@ dissect_anqp(proto_tree *tree, tvbuff_t *tvb, int offset, gboolean request) tvb, offset, 2, TRUE); len = tvb_get_letohs(tvb, offset); offset += 2; + if (tvb_reported_length_remaining(tvb, offset) < len) { + expert_add_info_format(g_pinfo, tree, PI_MALFORMED, PI_ERROR, + "Invalid ANQP Info length"); + return; + } switch (id) { case ANQP_INFO_ANQP_VENDOR_SPECIFIC_LIST: |