diff options
author | Evan Huus <eapache@gmail.com> | 2013-12-13 20:09:17 +0000 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2013-12-13 20:09:17 +0000 |
commit | 4b6ef3fac248c5e1c06195a69fae0475d2c02843 (patch) | |
tree | 69dac8173df37bbf5d589b4ae3da725a5eca7cf1 /epan/dissectors | |
parent | 7d016fc24f4f83d99b336df1a243a64db93cc620 (diff) |
Add another check to radiotap-iter initialization to catch another out-of-bounds
read found while fuzzing with valgrind. Hopefully doesn't break valid captures.
svn path=/trunk/; revision=54056
Diffstat (limited to 'epan/dissectors')
-rw-r--r-- | epan/dissectors/packet-ieee80211-radiotap-iter.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ieee80211-radiotap-iter.c b/epan/dissectors/packet-ieee80211-radiotap-iter.c index a0a7711ddc..b80dbffeeb 100644 --- a/epan/dissectors/packet-ieee80211-radiotap-iter.c +++ b/epan/dissectors/packet-ieee80211-radiotap-iter.c @@ -159,6 +159,8 @@ int ieee80211_radiotap_iterator_init( /* find payload start allowing for extended bitmap(s) */ if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) { + if (!ITERATOR_VALID(iterator, sizeof(guint32))) + return -EINVAL; while (get_unaligned_le32(iterator->_arg) & (1 << IEEE80211_RADIOTAP_EXT)) { iterator->_arg += sizeof(guint32); |