diff options
author | Gerald Combs <gerald@wireshark.org> | 2008-08-25 15:22:48 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2008-08-25 15:22:48 +0000 |
commit | f31f3f6d14c7045d074ded5cc4716e0dd7be3d82 (patch) | |
tree | 103dc19148ad21ecd5c95247c7acd5b0061d8872 /epan/crypt | |
parent | 640e4d4025a01914b30f249fa5fb9d3ae33d932f (diff) |
Fix a couple of crashes in WPA group key decryption.
svn path=/trunk/; revision=26070
Diffstat (limited to 'epan/crypt')
-rw-r--r-- | epan/crypt/airpdcap.c | 3 | ||||
-rw-r--r-- | epan/crypt/airpdcap_rijndael.c | 4 |
2 files changed, 7 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index 150210b634..0ea6b6ce12 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -355,6 +355,9 @@ AirPDcapDecryptWPABroadcastKey(P_EAPOL_RSN_KEY pEAPKey, guint8 *decryption_key, memcpy(&key_len, pEAPKey->key_data_len, 2); /* get the key length as a UINT16 */ } key_len = ntohs(key_len); /* Convert to proper endianess */ + if (key_len > sizeof(RSN_IE)) { /* Don't read past the end of pEAPKey->ie */ + return; + } /* Encrypted key is in the information element field of the EAPOL key packet */ szEncryptedKey = g_memdup(pEAPKey->ie, key_len); diff --git a/epan/crypt/airpdcap_rijndael.c b/epan/crypt/airpdcap_rijndael.c index 4f0d866c5e..c1f400d421 100644 --- a/epan/crypt/airpdcap_rijndael.c +++ b/epan/crypt/airpdcap_rijndael.c @@ -1313,6 +1313,10 @@ AES_unwrap(UCHAR *kek, UINT16 key_len, UCHAR *cipher_text, UINT16 cipher_len, UC gint16 i, j, n; rijndael_ctx ctx; + if (! kek || cipher_len < 16 || ! cipher_text || ! output) { + return 1; /* We don't do anything with the return value */ + } + /* Initialize variables */ n = (cipher_len/8)-1; /* the algorithm works on 64-bits at a time */ |