Fixed stack-based buffer overflow when the frame length exceeds 8KB.
Bug: 11790
Change-Id: I20db8901765a7660e587057e955d4fb5a8645574
Reviewed-on: https://code.wireshark.org/review/12237
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
return AIRPDCAP_RET_WRONG_DATA_SIZE;
}
+ /* Assume that the decrypt_data field is at least this size. */
+ if (tot_len > AIRPDCAP_MAX_CAPLEN) {
+ AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "length too large", AIRPDCAP_DEBUG_LEVEL_3);
+ return AIRPDCAP_RET_UNSUCCESS;
+ }
+
/* get BSSID */
if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);
* @param data_len [IN] Total length of the MAC header and the payload
* @param decrypt_data [OUT] Pointer to a buffer that will contain
* decrypted data. If this parameter is set to NULL, decrypted data will
- * be discarded.
+ * be discarded. Must have room for at least AIRPDCAP_MAX_CAPLEN bytes.
* @param decrypt_len [OUT] Length of decrypted data if decrypt_data
* is not NULL.
* @param key [OUT] Pointer to a preallocated key structure containing