diff options
author | Guy Harris <guy@alum.mit.edu> | 2015-05-09 23:53:20 -0700 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2015-05-10 06:53:53 +0000 |
commit | be8f9c4cf38594368702eeb0c70e920461a10e6e (patch) | |
tree | 65fbb82c7b5b55b3ebf0c5c6b415cc26397cf5bc /epan/crypt | |
parent | dac801545446180cc593bdd4f13a65488defb6e4 (diff) |
Add some bounds checks.
Change-Id: I5b0405f814d439c1d5ce329a817475102be483af
Reviewed-on: https://code.wireshark.org/review/8373
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'epan/crypt')
-rw-r--r-- | epan/crypt/airpdcap.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index d4dd7b90d1..eaa0b61d7f 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -408,6 +408,9 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption rsn_id = decrypted_data[key_index]; if (rsn_id != 0xdd){ + if (key_index+1 >= key_bytes_len){ + return; + } key_index += decrypted_data[key_index+1]+2; }else{ key_found = TRUE; @@ -415,6 +418,8 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption } if (key_found){ + if (key_index+8 >= key_bytes_len) + return; /* Skip over the GTK header info, and don't copy past the end of the encrypted data */ memcpy(szEncryptedKey, decrypted_data+key_index+8, key_bytes_len-key_index-8); } |