diff options
| author | Gerald Combs <gerald@wireshark.org> | 2008-08-25 15:26:15 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2008-08-25 15:26:15 +0000 |
| commit | ab689cc3341496f70b810904f2a61014b9a8b1a5 (patch) | |
| tree | 1f57d05f4516c88ab79392ea37e592f63c053b8c /epan/crypt | |
| parent | f31f3f6d14c7045d074ded5cc4716e0dd7be3d82 (diff) | |
Add another buffer length check to group key decryption.
svn path=/trunk/; revision=26071
Diffstat (limited to 'epan/crypt')
| -rw-r--r-- | epan/crypt/airpdcap.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index 0ea6b6ce12..241ab4c9d7 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -459,6 +459,7 @@ AirPDcapGetSaPtr( return &ctx->sa[sa_index]; } +#define GROUP_KEY_PAYLOAD_LEN (8+4+sizeof(EAPOL_RSN_KEY)) INT AirPDcapScanForGroupKey( PAIRPDCAP_CONTEXT ctx, const guint8 *data, @@ -487,6 +488,11 @@ INT AirPDcapScanForGroupKey( AIRPDCAP_DEBUG_TRACE_START("AirPDcapScanForGroupKey"); + if (mac_header_len + GROUP_KEY_PAYLOAD_LEN < tot_len) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Message too short", AIRPDCAP_DEBUG_LEVEL_3); + return AIRPDCAP_RET_NO_VALID_HANDSHAKE; + } + /* cache offset in the packet data */ offset = mac_header_len; |