ieee80211: handle reserved grouping value

Prevents a buffer overrun (read). Show expert info such that it can be
detected (in case the value is non-reserved in the future).

Bug: 11818
Change-Id: I6cd2f4c9deb5cb515a53743aa83193521b2331e8
Reviewed-on: https://code.wireshark.org/review/14040
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>

diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c
index 0d58a39eda2ba70b69377fe35fa9784fc08075fc..43123960d7bf31b1599581c41db24ef6fc686487 100644 (file)
--- a/epan/dissectors/packet-ieee80211.c
+++ b/epan/dissectors/packet-ieee80211.c
@@ -9127,6 +9127,14 @@ add_ff_vht_compressed_beamforming_report(proto_tree *tree, tvbuff_t *tvb, packet
     offset += 1;
   }
 
+  /* Table 8-53c Subfields of the VHT MIMO Control field (802.11ac-2013)
+   * reserves value 3 of the Grouping subfield. */
+  if (grouping == 3) {
+    expert_add_info_format(pinfo, vht_beam_item, &ei_ieee80211_inv_val,
+                           "Grouping subfield value 3 is reserved");
+    return offset;
+  }
+
   subtree = proto_tree_add_subtree(vht_beam_tree, tvb, offset, -1,
                         ett_ff_vhtmimo_beamforming_report_feedback_matrices, NULL, "Beamforming Feedback Matrics");
   if (feedback_type) {