diff options
author | Mikael Kanstrup <mikael.kanstrup@sony.com> | 2019-09-18 14:25:12 +0200 |
---|---|---|
committer | Pascal Quantin <pascal@wireshark.org> | 2019-09-18 16:01:09 +0000 |
commit | 74bccadff2080a45b6758a355e3c7737409832c4 (patch) | |
tree | 3d2af35125887919ea75a84735904090113ddfe3 /epan/crypt | |
parent | 828ff6ddb0a824de7f48af8b2018c3d4506a48ce (diff) |
dot11crypt: Fix crash on failure finding GTK in decrypted frame
If GTK cannot be found inside a successfully decrypted wireless frame
the dot11crypt engine returns incorrect decrypted data length of 0
bytes. As the IEEE802.11 dissector does not check the length of the
decrypted frame the number of bytes allocated and copied to wmem ends
up being a negative number (i.e. a huge unsigned number). This results
in a SIGSEGV crash while copying data.
Fix this both by returning a correct length from dot11crypt engine
and add extra an protection to the IEEE802.11 dissector if the length
for any (other) reason still would end up being a negative number.
Bug: 16058
Change-Id: I9d0d1cf50498dece2e008222eebbb3edc8f10159
Reviewed-on: https://code.wireshark.org/review/34558
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
Diffstat (limited to 'epan/crypt')
-rw-r--r-- | epan/crypt/dot11decrypt.c | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/epan/crypt/dot11decrypt.c b/epan/crypt/dot11decrypt.c index 246a54ba8e..6e028654f8 100644 --- a/epan/crypt/dot11decrypt.c +++ b/epan/crypt/dot11decrypt.c @@ -403,8 +403,6 @@ Dot11DecryptDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decrypt static DOT11DECRYPT_KEY_ITEM dummy_key; /* needed in case Dot11DecryptRsnaMng() wants the key structure */ DOT11DECRYPT_SEC_ASSOCIATION *tmp_sa; - *decrypted_len = 0; - /* We skip verifying the MIC of the key. If we were implementing a WPA supplicant we'd want to verify, but for a sniffer it's not needed. */ /* Preparation for decrypting the group key - determine group key data length */ |