1 files changed, 24 insertions, 2 deletions

diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index 35c3c1eff5..65bbde1a21 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -995,6 +995,7 @@ AirPDcapRsnaMng(
 {
     INT ret_value=1;
     UCHAR *try_data;
+    guint try_data_len = *decrypt_len;
 
     if (sa->key==NULL) {
         AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "No key associated", AIRPDCAP_DEBUG_LEVEL_3);
@@ -1006,11 +1007,16 @@ AirPDcapRsnaMng(
     }
 
     /* allocate a temp buffer for the decryption loop */
-    try_data=(UCHAR *)ep_alloc(*decrypt_len);
+    try_data=(UCHAR *)ep_alloc(try_data_len);
 
     /* start of loop added by GCS */
     for(/* sa */; sa != NULL ;sa=sa->next) {
 
+        if (*decrypt_len > try_data_len) {
+            AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "Invalid decryption length", AIRPDCAP_DEBUG_LEVEL_3);
+            return AIRPDCAP_RET_UNSUCCESS;
+        }
+
        /* copy the encrypted data into a temp buffer */
        memcpy(try_data, decrypt_data, *decrypt_len);
 
@@ -1050,6 +1056,11 @@ AirPDcapRsnaMng(
     if(sa == NULL)
         return ret_value;
 
+    if (*decrypt_len > try_data_len || *decrypt_len < 8) {
+        AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "Invalid decryption length", AIRPDCAP_DEBUG_LEVEL_3);
+        return AIRPDCAP_RET_UNSUCCESS;
+    }
+
     /* copy the decrypted data into the decrypt buffer GCS*/
     memcpy(decrypt_data, try_data, *decrypt_len);
 
@@ -1089,7 +1100,10 @@ AirPDcapWepMng(
     INT key_index;
     AIRPDCAP_KEY_ITEM *tmp_key;
     UINT8 useCache=FALSE;
-    UCHAR *try_data = (UCHAR *)ep_alloc(*decrypt_len);
+    UCHAR *try_data;
+    guint try_data_len = *decrypt_len;
+    
+    try_data = (UCHAR *)ep_alloc(try_data_len);
 
     if (sa->key!=NULL)
         useCache=TRUE;
@@ -1159,6 +1173,11 @@ AirPDcapWepMng(
     /* remove ICV (4bytes) from the end of packet */
     *decrypt_len-=4;
 
+    if (*decrypt_len < 4) {
+        AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapWepMng", "Decryption length too short", AIRPDCAP_DEBUG_LEVEL_3);
+        return AIRPDCAP_RET_UNSUCCESS;
+    }
+
     /* remove protection bit */
     decrypt_data[1]&=0xBF;
 
@@ -1702,6 +1721,9 @@ AirPDcapRsnaPwd2PskStep(
     UCHAR digest[36], digest1[AIRPDCAP_SHA_DIGEST_LEN];
     INT i, j;
 
+    if (ssidLength > 36 - 4)
+        return AIRPDCAP_RET_UNSUCCESS;
+
     /* U1 = PRF(P, S || INT(i)) */
     memcpy(digest, ssid, ssidLength);
     digest[ssidLength] = (UCHAR)((count>>24) & 0xff);