Add boundary check for 802.11 decryption

Fixed stack-based buffer overflow when the frame length exceeds 8KB.

Bug: 11790
Change-Id: I20db8901765a7660e587057e955d4fb5a8645574
Reviewed-on: https://code.wireshark.org/review/12237
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>

diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index cc60176a2785343808e8895d2d8b498780e8fb83..e584bf43acce3923c4cdfe30edffd0c1526a76e2 100644 (file)
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -663,6 +663,12 @@ INT AirPDcapPacketProcess(
         return AIRPDCAP_RET_WRONG_DATA_SIZE;
     }
 
+    /* Assume that the decrypt_data field is at least this size. */
+    if (tot_len > AIRPDCAP_MAX_CAPLEN) {
+        AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3);
+        return AIRPDCAP_RET_UNSUCCESS;
+    }
+
     /* get BSSID */
     if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
         memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);

diff --git a/epan/crypt/airpdcap_system.h b/epan/crypt/airpdcap_system.h
index 1166e347c4c43a64eebf5e8eed2644d759eea9f5..11018fbcfacf3f3602b60e57fea16d8693ee61e9 100644 (file)
--- a/epan/crypt/airpdcap_system.h
+++ b/epan/crypt/airpdcap_system.h
@@ -183,7 +183,7 @@ extern "C" {
  * @param data_len [IN] Total length of the MAC header and the payload
  * @param decrypt_data [OUT] Pointer to a buffer that will contain
  *   decrypted data. If this parameter is set to NULL, decrypted data will
- *   be discarded.
+ *   be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes.
  * @param decrypt_len [OUT] Length of decrypted data if decrypt_data
  *   is not NULL.
  * @param key [OUT] Pointer to a preallocated key structure containing