802.11 Radiotap: add more bound checks in ieee80211_radiotap_iterator_next()

Bug: 15022
Change-Id: Ife413312c88b8d78926c78bdb6707903257e7964
Reviewed-on: https://code.wireshark.org/review/29017
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/epan/dissectors/packet-ieee80211-radiotap-iter.c b/epan/dissectors/packet-ieee80211-radiotap-iter.c
index 167cb39899..e10fdaf2d7 100644
--- a/epan/dissectors/packet-ieee80211-radiotap-iter.c
+++ b/epan/dissectors/packet-ieee80211-radiotap-iter.c
@@ -132,6 +132,7 @@ int ieee80211_radiotap_iterator_init(
 	iterator->_bitmap_shifter = get_unaligned_le32(&radiotap_header->it_present);
 	iterator->_arg = (guint8 *)radiotap_header + sizeof(*radiotap_header);
 	iterator->_reset_on_ext = 0;
+	iterator->_next_ns_data = NULL;
 	iterator->_next_bitmap = &radiotap_header->it_present;
 	iterator->_next_bitmap++;
 	iterator->_vns = vns;
@@ -288,9 +289,14 @@ int ieee80211_radiotap_iterator_next(
 			}
 			if (!align) {
 				/* skip all subsequent data */
+				if (!iterator->_next_ns_data)
+					return -EINVAL;
 				iterator->_arg = iterator->_next_ns_data;
 				/* give up on this namespace */
 				iterator->current_namespace = NULL;
+				iterator->_next_ns_data = NULL;
+				if (!ITERATOR_VALID(iterator, 0))
+					return -EINVAL;
 				goto next_entry;
 			}
 			break;