diff options
| -rw-r--r-- | epan/dissectors/packet-ieee80211-radiotap-iter.c | 17 | ||||
| -rw-r--r-- | epan/dissectors/packet-ieee80211-radiotap.c | 3 |
2 files changed, 19 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ieee80211-radiotap-iter.c b/epan/dissectors/packet-ieee80211-radiotap-iter.c index f6f0b94450..895155f5b9 100644 --- a/epan/dissectors/packet-ieee80211-radiotap-iter.c +++ b/epan/dissectors/packet-ieee80211-radiotap-iter.c @@ -74,7 +74,7 @@ static const struct ieee80211_radiotap_namespace radiotap_ns = { */ #define ITERATOR_VALID(iterator, size) \ (((iterator)->_arg + (size) - (unsigned char *)((iterator)->_rtheader)) <= \ - (ptrdiff_t)(iterator)->_max_length) + (ptrdiff_t)((iterator)->_max_length - sizeof(guint32))) /** * ieee80211_radiotap_iterator_init - radiotap parser iterator initialization @@ -145,6 +145,8 @@ int ieee80211_radiotap_iterator_init( #endif /* find payload start allowing for extended bitmap(s) */ + if (!ITERATOR_VALID(iterator, 0)) + return -EINVAL; if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) { while (get_unaligned_le32(iterator->_arg) & @@ -403,3 +405,16 @@ int ieee80211_radiotap_iterator_next( return 0; } } + +/* + * Editor modelines - http://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ diff --git a/epan/dissectors/packet-ieee80211-radiotap.c b/epan/dissectors/packet-ieee80211-radiotap.c index 8e91dfadf7..fd5a586b4a 100644 --- a/epan/dissectors/packet-ieee80211-radiotap.c +++ b/epan/dissectors/packet-ieee80211-radiotap.c @@ -1028,6 +1028,9 @@ dissect_radiotap(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree) tvb, 2, 2, length); } + if (length < sizeof(struct ieee80211_radiotap_header)) { + length = sizeof(struct ieee80211_radiotap_header); + } data = tvb_memdup(wmem_packet_scope(), tvb, 0, length); if (!data) return; |