diff options
| author | Martin Kaiser <wireshark@kaiser.cx> | 2013-10-15 15:11:40 +0000 |
|---|---|---|
| committer | Martin Kaiser <wireshark@kaiser.cx> | 2013-10-15 15:11:40 +0000 |
| commit | ef33b36768e0ad010818b147d8a847968b37dde5 (patch) | |
| tree | ae02a9685eebc9d8af69b945faecf6909c989ab7 /wiretap | |
| parent | 7d66e3806beaf033935772dcbfb1f4a7a0a04651 (diff) | |
code review of parse_s1_W_stats()
range check for array index
don't assign the result of pntohs() to a gint16
range check for the values stored in phdr.(cap)len
svn path=/trunk/; revision=52618
Diffstat (limited to 'wiretap')
| -rw-r--r-- | wiretap/vwr.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/wiretap/vwr.c b/wiretap/vwr.c index 04253989e2..97a650dca3 100644 --- a/wiretap/vwr.c +++ b/wiretap/vwr.c @@ -1046,7 +1046,8 @@ static int parse_s1_W_stats(wtap *wth, guint8 *rec, int rec_size, ext_rtap_field vwr_t *vwr = (vwr_t *)wth->priv; register int i; /* temps */ register guint8 *s_ptr, *m_ptr; /* stats pointer */ - gint16 octets, msdu_length; /* octets in frame */ + guint16 octets, msdu_length; /* octets in frame */ + guint32 tmp_len; guint16 rflags; guint8 m_type, flow_seq; /* mod type (CCK-L/CCK-S/OFDM), seqnum */ guint64 s_time = LL_ZERO, e_time = LL_ZERO; /* start/end */ @@ -1065,6 +1066,10 @@ static int parse_s1_W_stats(wtap *wth, guint8 *rec, int rec_size, ext_rtap_field guint64 sig_ts; /* 32 LSBs of timestamp in signature */ float phyRate; + + if (rec_size<64) + rec_size = 64; + /* calculate the start of the statistics block in the buffer */ /* also get a bunch of fields from the stats block */ s_ptr = &(rec[rec_size - 64]); /* point to it */ @@ -1101,7 +1106,11 @@ static int parse_s1_W_stats(wtap *wth, guint8 *rec, int rec_size, ext_rtap_field /* note that the number of octets in the frame also varies depending on OFDM/CCK, */ /* because the PLCP header is prepended to the actual MPDU */ m_ptr = &(rec[((m_type == vwr->MT_OFDM) ? 4 : 6)]); - octets -= (m_type == vwr->MT_OFDM) ? 4 : 6; + tmp_len = (m_type == vwr->MT_OFDM) ? 4 : 6; + if (octets >= tmp_len) + octets -= tmp_len; + else + octets = 0; /* sanity check the octets field to determine if it is OK (or segfaults result) */ /* if it's greater, then truncate to actual record size */ @@ -1137,6 +1146,11 @@ static int parse_s1_W_stats(wtap *wth, guint8 *rec, int rec_size, ext_rtap_field /* Pack the common and er structs) */ r_hdr_len = STATS_COMMON_FIELDS_LEN + EXT_RTAP_FIELDS_LEN; + tmp_len = (msdu_length - 4) + r_hdr_len; + wth->phdr.len = tmp_len<=G_MAXUINT16 ? tmp_len : 0; + tmp_len = (octets - 4) + r_hdr_len; + wth->phdr.caplen = tmp_len<=G_MAXUINT16 ? tmp_len : 0; + wth->phdr.len = (msdu_length - 4) + r_hdr_len; wth->phdr.caplen = (octets - 4) + r_hdr_len; |