Fix buffer overflow in 802.11 decryption

The sha1 function outputs a multiple of 20 bytes while the ptk buffer
has only a size of 64 bytes. Follow the hint in 802.11i-2004, page 164
and use an output buffer of 80 octets.

Noticed when running Wireshark with ASAN, on exit it would try to free a
"next" pointer which was filled with sha1 garbage. It probably got
triggered via 3f8fbb734915aaf74eb006898e8fabb007afbf48 which made
AirPDcap responsible for managing its own memory.

Bug: 10849
Change-Id: I10c1b9c2e224e5571d746c01fc389f86d25994a1
Reviewed-on: https://code.wireshark.org/review/7645
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>

1 files changed, 5 insertions, 2 deletions

diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index d2bfee9102..bc1ca32567 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -1737,7 +1737,8 @@ AirPDcapGetBssidAddress(
     }
 }
 
-/* Function used to derive the PTK. Refer to IEEE 802.11I-2004, pag. 74 */
+/* Function used to derive the PTK. Refer to IEEE 802.11I-2004, pag. 74
+ * and IEEE 802.11i-2004, pag. 164 */
 static void
 AirPDcapRsnaPrfX(
     AIRPDCAP_SEC_ASSOCIATION *sa,
@@ -1749,6 +1750,7 @@ AirPDcapRsnaPrfX(
     UINT8 i;
     UCHAR R[100];
     INT offset=sizeof("Pairwise key expansion");
+    UCHAR output[80]; /* allow for sha1 overflow. */
 
     memset(R, 0, 100);
 
@@ -1785,8 +1787,9 @@ AirPDcapRsnaPrfX(
     for(i = 0; i < (x+159)/160; i++)
     {
         R[offset] = i;
-        sha1_hmac(pmk, 32, R, 100, ptk + i * 20);
+        sha1_hmac(pmk, 32, R, 100, &output[20 * i]);
     }
+    memcpy(ptk, output, x/8);
 }
 
 static INT