Add another check to radiotap-iter initialization to catch another out-of-bounds

read found while fuzzing with valgrind. Hopefully doesn't break valid captures. svn path=/trunk/; revision=54056
author: Evan Huus <eapache@gmail.com> 2013-12-13 20:09:17 +0000
committer: Evan Huus <eapache@gmail.com> 2013-12-13 20:09:17 +0000
commit: 4b6ef3fac248c5e1c06195a69fae0475d2c02843 (patch)
tree: 69dac8173df37bbf5d589b4ae3da725a5eca7cf1 /epan/dissectors
parent: 7d016fc24f4f83d99b336df1a243a64db93cc620 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ieee80211-radiotap-iter.c b/epan/dissectors/packet-ieee80211-radiotap-iter.c
index a0a7711ddc..b80dbffeeb 100644
--- a/epan/dissectors/packet-ieee80211-radiotap-iter.c
+++ b/epan/dissectors/packet-ieee80211-radiotap-iter.c
@@ -159,6 +159,8 @@ int ieee80211_radiotap_iterator_init(
 
 	/* find payload start allowing for extended bitmap(s) */
 	if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) {
+		if (!ITERATOR_VALID(iterator, sizeof(guint32)))
+			return -EINVAL;
 		while (get_unaligned_le32(iterator->_arg) &
 					(1 << IEEE80211_RADIOTAP_EXT)) {
 			iterator->_arg += sizeof(guint32);
author	Evan Huus <eapache@gmail.com>	2013-12-13 20:09:17 +0000
committer	Evan Huus <eapache@gmail.com>	2013-12-13 20:09:17 +0000
commit	4b6ef3fac248c5e1c06195a69fae0475d2c02843 (patch)
tree	69dac8173df37bbf5d589b4ae3da725a5eca7cf1 /epan/dissectors
parent	7d016fc24f4f83d99b336df1a243a64db93cc620 (diff)