From b5d062ba57efd4b78f83518ac868fcb25d9bc243 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Wed, 11 Mar 2015 19:31:56 +0100 Subject: Fix buffer overflow in 802.11 decryption The sha1 function outputs a multiple of 20 bytes while the ptk buffer has only a size of 64 bytes. Follow the hint in 802.11i-2004, page 164 and use an output buffer of 80 octets. Noticed when running Wireshark with ASAN, on exit it would try to free a "next" pointer which was filled with sha1 garbage. It probably got triggered via 3f8fbb734915aaf74eb006898e8fabb007afbf48 which made AirPDcap responsible for managing its own memory. Bug: 10849 Change-Id: I10c1b9c2e224e5571d746c01fc389f86d25994a1 Reviewed-on: https://code.wireshark.org/review/7645 Reviewed-by: Evan Huus Petri-Dish: Michael Mann Reviewed-by: Peter Wu Tested-by: Peter Wu Reviewed-by: Michael Mann --- epan/crypt/airpdcap.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'epan/crypt/airpdcap.c') diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index d2bfee9102..bc1ca32567 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -1737,7 +1737,8 @@ AirPDcapGetBssidAddress( } } -/* Function used to derive the PTK. Refer to IEEE 802.11I-2004, pag. 74 */ +/* Function used to derive the PTK. Refer to IEEE 802.11I-2004, pag. 74 + * and IEEE 802.11i-2004, pag. 164 */ static void AirPDcapRsnaPrfX( AIRPDCAP_SEC_ASSOCIATION *sa, @@ -1749,6 +1750,7 @@ AirPDcapRsnaPrfX( UINT8 i; UCHAR R[100]; INT offset=sizeof("Pairwise key expansion"); + UCHAR output[80]; /* allow for sha1 overflow. */ memset(R, 0, 100); @@ -1785,8 +1787,9 @@ AirPDcapRsnaPrfX( for(i = 0; i < (x+159)/160; i++) { R[offset] = i; - sha1_hmac(pmk, 32, R, 100, ptk + i * 20); + sha1_hmac(pmk, 32, R, 100, &output[20 * i]); } + memcpy(ptk, output, x/8); } static INT -- cgit v1.2.3