Add some bounds checks.

Change-Id: I5b0405f814d439c1d5ce329a817475102be483af Reviewed-on: https://code.wireshark.org/review/8373 Reviewed-by: Guy Harris <guy@alum.mit.edu>
author: Guy Harris <guy@alum.mit.edu> 2015-05-09 23:53:20 -0700
committer: Guy Harris <guy@alum.mit.edu> 2015-05-10 06:53:53 +0000
commit: be8f9c4cf38594368702eeb0c70e920461a10e6e (patch)
tree: 65fbb82c7b5b55b3ebf0c5c6b415cc26397cf5bc /epan/crypt/airpdcap.c
parent: dac801545446180cc593bdd4f13a65488defb6e4 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index d4dd7b90d1..eaa0b61d7f 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -408,6 +408,9 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8  *decryption
             rsn_id = decrypted_data[key_index];
 
             if (rsn_id != 0xdd){
+                if (key_index+1 >= key_bytes_len){
+                    return;
+                }
                 key_index += decrypted_data[key_index+1]+2;
             }else{
                 key_found = TRUE;
@@ -415,6 +418,8 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8  *decryption
         }
 
         if (key_found){
+            if (key_index+8 >= key_bytes_len)
+                return;
             /* Skip over the GTK header info, and don't copy past the end of the encrypted data */
             memcpy(szEncryptedKey, decrypted_data+key_index+8, key_bytes_len-key_index-8);
         }
author	Guy Harris <guy@alum.mit.edu>	2015-05-09 23:53:20 -0700
committer	Guy Harris <guy@alum.mit.edu>	2015-05-10 06:53:53 +0000
commit	be8f9c4cf38594368702eeb0c70e920461a10e6e (patch)
tree	65fbb82c7b5b55b3ebf0c5c6b415cc26397cf5bc /epan/crypt/airpdcap.c
parent	dac801545446180cc593bdd4f13a65488defb6e4 (diff)