Fix a couple of crashes in WPA group key decryption.

svn path=/trunk/; revision=26070
author: Gerald Combs <gerald@wireshark.org> 2008-08-25 15:22:48 +0000
committer: Gerald Combs <gerald@wireshark.org> 2008-08-25 15:22:48 +0000
commit: f31f3f6d14c7045d074ded5cc4716e0dd7be3d82 (patch)
tree: 103dc19148ad21ecd5c95247c7acd5b0061d8872 /epan/crypt
parent: 640e4d4025a01914b30f249fa5fb9d3ae33d932f (diff)
2 files changed, 7 insertions, 0 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index 150210b634..0ea6b6ce12 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -355,6 +355,9 @@ AirPDcapDecryptWPABroadcastKey(P_EAPOL_RSN_KEY pEAPKey, guint8  *decryption_key,
 		memcpy(&key_len, pEAPKey->key_data_len, 2);  /* get the key length as a UINT16 */
 	}
 	key_len = ntohs(key_len); /* Convert to proper endianess */
+    if (key_len > sizeof(RSN_IE)) { /* Don't read past the end of pEAPKey->ie */
+        return;
+    }
 
 	/* Encrypted key is in the information element field of the EAPOL key packet */
 	szEncryptedKey = g_memdup(pEAPKey->ie, key_len);
diff --git a/epan/crypt/airpdcap_rijndael.c b/epan/crypt/airpdcap_rijndael.c
index 4f0d866c5e..c1f400d421 100644
--- a/epan/crypt/airpdcap_rijndael.c
+++ b/epan/crypt/airpdcap_rijndael.c
@@ -1313,6 +1313,10 @@ AES_unwrap(UCHAR *kek, UINT16 key_len, UCHAR *cipher_text, UINT16 cipher_len, UC
 	gint16 i, j, n;
 	rijndael_ctx  ctx;
 
+	if (! kek || cipher_len < 16 || ! cipher_text || ! output) {
+		return 1; /* We don't do anything with the return value */
+	}
+
 	/* Initialize variables */
 
 	n = (cipher_len/8)-1;  /* the algorithm works on 64-bits at a time */
author	Gerald Combs <gerald@wireshark.org>	2008-08-25 15:22:48 +0000
committer	Gerald Combs <gerald@wireshark.org>	2008-08-25 15:22:48 +0000
commit	f31f3f6d14c7045d074ded5cc4716e0dd7be3d82 (patch)
tree	103dc19148ad21ecd5c95247c7acd5b0061d8872 /epan/crypt
parent	640e4d4025a01914b30f249fa5fb9d3ae33d932f (diff)