From e395633224fd448fd93af0450b812228192d3a1b Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Wed, 24 Feb 2016 00:35:44 +0100 Subject: vwr: fix heap-based buffer overflow Commit v1.99.10rc0-316-gf28e23f added some additional room for the 16 byte PLCP header and 1 byte L1P. These are however not part of the remaining data, only the header. Bug: 11795 Change-Id: Ia6935d27366a07f818f147c9094a801429b049e2 Reviewed-on: https://code.wireshark.org/review/12240 Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Michael Mann Reviewed-by: Anders Broman --- wiretap/vwr.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'wiretap') diff --git a/wiretap/vwr.c b/wiretap/vwr.c index 846f0d5963..2a2107d9c0 100644 --- a/wiretap/vwr.c +++ b/wiretap/vwr.c @@ -1454,22 +1454,19 @@ static gboolean vwr_read_s2_s3_W_rec(vwr_t *vwr, struct wtap_pkthdr *phdr, } /* + * Fill up the per-packet header. + * * We also copy over 16 bytes of PLCP header + 1 byte of L1P for user * position. * * XXX - for S2, we don't have 16 bytes of PLCP header; do we have * the 1 byte of L1P? The current Veriwave dissector just blindly * assumes there's a 17-byte blob before the 802.11 header. - */ - actual_octets = actual_octets + 17; - - /* - * Fill up the per-packet header. * * We include the length of the metadata headers in the packet lengths. */ - phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets; - phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets; + phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 17 + actual_octets; + phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 17 + actual_octets; phdr->ts.secs = (time_t)s_sec; phdr->ts.nsecs = (int)(s_usec * 1000); -- cgit v1.2.3