Skip to content

Commit 9b0b20b

Browse files
mmann78AndersBroman
authored andcommitted
Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
A pointer to a EAPOL_RSN_KEY is set on the packet presuming the whole EAPOL_RSN_KEY is there. That's not always the case for fuzzed/malicious captures. Bug: 11585 Change-Id: Ib94b8aceef444c7820e43b969596efdb8dbecccd Reviewed-on: https://code.wireshark.org/review/15540 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
1 parent b831f25 commit 9b0b20b

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Diff for: epan/crypt/airpdcap.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -571,7 +571,7 @@ static INT AirPDcapScanForKeys(
571571

572572
/* get and check the body length (IEEE 802.1X-2004, pg. 25) */
573573
bodyLength=pntoh16(data+offset+2);
574-
if ((tot_len-offset-4) < bodyLength) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
574+
if (((tot_len-offset-4) < bodyLength) || (bodyLength < sizeof(EAPOL_RSN_KEY))) { /* Only check if frame is long enough for eapol header, ignore tailing garbage, see bug 9065 */
575575
AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForKeys", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
576576
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
577577
}

0 commit comments

Comments
 (0)