Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.

A pointer to a EAPOL_RSN_KEY is set on the packet presuming the whole EAPOL_RSN_KEY is there. That's not always the case for fuzzed/malicious captures. Bug: 11585 Change-Id: Ib94b8aceef444c7820e43b969596efdb8dbecccd Reviewed-on: https://code.wireshark.org/review/15540 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
wireshark · May 23, 2016 · 9b0b20b · 9b0b20b
1 parent b831f25
commit 9b0b20b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
@@ -571,7 +571,7 @@ static INT AirPDcapScanForKeys(
 
         /* get and check the body length (IEEE 802.1X-2004, pg. 25) */
         bodyLength=pntoh16(data+offset+2);
-        if ((tot_len-offset-4) < bodyLength) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
+        if (((tot_len-offset-4) < bodyLength) || (bodyLength < sizeof(EAPOL_RSN_KEY))) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
             AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForKeys", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
             return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
         }