diff options
author | Gerald Combs <gerald@wireshark.org> | 2011-02-16 22:57:36 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2011-02-16 22:57:36 +0000 |
commit | 69901e8eba7d3538773119066139008dee5f7538 (patch) | |
tree | 327a9f976f7fd017b2c468b8bc5ea7aed25cca1f | |
parent | 64666812e93987d3668d022c1d9f53bd82be8e30 (diff) |
Fix Visual C++ code analysis errors.
svn path=/trunk/; revision=35970
-rw-r--r-- | epan/crypt/airpdcap.c | 26 | ||||
-rw-r--r-- | epan/crypt/airpdcap_ccmp.c | 2 |
2 files changed, 25 insertions, 3 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index 35c3c1eff5..65bbde1a21 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -995,6 +995,7 @@ AirPDcapRsnaMng( { INT ret_value=1; UCHAR *try_data; + guint try_data_len = *decrypt_len; if (sa->key==NULL) { AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "No key associated", AIRPDCAP_DEBUG_LEVEL_3); @@ -1006,11 +1007,16 @@ AirPDcapRsnaMng( } /* allocate a temp buffer for the decryption loop */ - try_data=(UCHAR *)ep_alloc(*decrypt_len); + try_data=(UCHAR *)ep_alloc(try_data_len); /* start of loop added by GCS */ for(/* sa */; sa != NULL ;sa=sa->next) { + if (*decrypt_len > try_data_len) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "Invalid decryption length", AIRPDCAP_DEBUG_LEVEL_3); + return AIRPDCAP_RET_UNSUCCESS; + } + /* copy the encrypted data into a temp buffer */ memcpy(try_data, decrypt_data, *decrypt_len); @@ -1050,6 +1056,11 @@ AirPDcapRsnaMng( if(sa == NULL) return ret_value; + if (*decrypt_len > try_data_len || *decrypt_len < 8) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "Invalid decryption length", AIRPDCAP_DEBUG_LEVEL_3); + return AIRPDCAP_RET_UNSUCCESS; + } + /* copy the decrypted data into the decrypt buffer GCS*/ memcpy(decrypt_data, try_data, *decrypt_len); @@ -1089,7 +1100,10 @@ AirPDcapWepMng( INT key_index; AIRPDCAP_KEY_ITEM *tmp_key; UINT8 useCache=FALSE; - UCHAR *try_data = (UCHAR *)ep_alloc(*decrypt_len); + UCHAR *try_data; + guint try_data_len = *decrypt_len; + + try_data = (UCHAR *)ep_alloc(try_data_len); if (sa->key!=NULL) useCache=TRUE; @@ -1159,6 +1173,11 @@ AirPDcapWepMng( /* remove ICV (4bytes) from the end of packet */ *decrypt_len-=4; + if (*decrypt_len < 4) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapWepMng", "Decryption length too short", AIRPDCAP_DEBUG_LEVEL_3); + return AIRPDCAP_RET_UNSUCCESS; + } + /* remove protection bit */ decrypt_data[1]&=0xBF; @@ -1702,6 +1721,9 @@ AirPDcapRsnaPwd2PskStep( UCHAR digest[36], digest1[AIRPDCAP_SHA_DIGEST_LEN]; INT i, j; + if (ssidLength > 36 - 4) + return AIRPDCAP_RET_UNSUCCESS; + /* U1 = PRF(P, S || INT(i)) */ memcpy(digest, ssid, ssidLength); digest[ssidLength] = (UCHAR)((count>>24) & 0xff); diff --git a/epan/crypt/airpdcap_ccmp.c b/epan/crypt/airpdcap_ccmp.c index a0cf4c85e9..b734fe030b 100644 --- a/epan/crypt/airpdcap_ccmp.c +++ b/epan/crypt/airpdcap_ccmp.c @@ -149,7 +149,7 @@ static void ccmp_init_blocks( aad[2] = (UINT8)(wh->fc[0] & 0x8f); /* XXX magic #s */ aad[3] = (UINT8)(wh->fc[1] & 0xc7); /* XXX magic #s */ /* NB: we know 3 addresses are contiguous */ - memcpy(aad + 4, wh->addr1, 3 * AIRPDCAP_MAC_LEN); + memcpy(aad + 4, &wh->addr1[0], 3 * AIRPDCAP_MAC_LEN); aad[22] = (UINT8)(wh->seq[0] & AIRPDCAP_SEQ_FRAG_MASK); aad[23] = 0; /* all bits masked */ /* |