From 512f778110d8d698c803c4cb7fcc0d6622d34eaf Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sat, 28 Nov 2015 01:24:12 +0100 Subject: [PATCH 107/110] Add boundary check for 802.11 decryption Fixed stack-based buffer overflow when the frame length exceeds 8KB. Bug: 11790 Change-Id: I20db8901765a7660e587057e955d4fb5a8645574 Reviewed-on: https://code.wireshark.org/review/12237 Petri-Dish: Anders Broman Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu (cherry picked from commit 40b283181c63cb28bc6f58d80315eccca6650da0) [resolved conflict by accepting comments from v2.1.0rc0-764-g9cd66b2] Reviewed-on: https://code.wireshark.org/review/12247 (cherry picked from commit a6e8fc8c9af56124d44423c3a85c695ac01c70e7) Reviewed-on: https://code.wireshark.org/review/13761 Reviewed-by: Balint Reczey (cherry picked from commit 1d9c54c2dd366d2c9ba1026fe2e877b794aa13dd) Reviewed-on: https://code.wireshark.org/review/14375 --- epan/crypt/airpdcap.c | 6 ++++++ epan/crypt/airpdcap_system.h | 6 ++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c index 4838a38..eb2dc37 100644 --- a/epan/crypt/airpdcap.c +++ b/epan/crypt/airpdcap.c @@ -649,6 +649,12 @@ INT AirPDcapPacketProcess( return AIRPDCAP_RET_WRONG_DATA_SIZE; } + /* Assume that the decrypt_data field is at least this size. */ + if (tot_len > AIRPDCAP_MAX_CAPLEN) { + AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3); + return AIRPDCAP_RET_UNSUCCESS; + } + /* get BSSID */ if ( (address=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) { memcpy(id.bssid, address, AIRPDCAP_MAC_LEN); diff --git a/epan/crypt/airpdcap_system.h b/epan/crypt/airpdcap_system.h index 69ec762..5a63fdb 100644 --- a/epan/crypt/airpdcap_system.h +++ b/epan/crypt/airpdcap_system.h @@ -182,8 +182,10 @@ extern "C" { * @param data_off [IN] Payload offset (aka the MAC header length) * @param data_len [IN] Total length of the MAC header and the payload * @param decrypt_data [OUT] Pointer to a buffer that will contain - * decrypted data - * @param decrypt_len [OUT] Length of decrypted data + * decrypted data. If this parameter is set to NULL, decrypted data will + * be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes. + * @param decrypt_len [OUT] Length of decrypted data if decrypt_data + * is not NULL. * @param key [OUT] Pointer to a preallocated key structure containing * the key used during the decryption process (if done). If this parameter * is set to NULL, the key will be not returned. -- 2.1.4