Add some bounds checks.

Change-Id: I5b0405f814d439c1d5ce329a817475102be483af
Reviewed-on: https://code.wireshark.org/review/8373
Reviewed-by: Guy Harris <guy@alum.mit.edu>

diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index d4dd7b90d102b92aceccbc5684accf73fd05d2a0..eaa0b61d7fa1335c5bd01c9823500e6a2050dd55 100644 (file)
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -408,6 +408,9 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8  *decryption
             rsn_id = decrypted_data[key_index];
 
             if (rsn_id != 0xdd){
+                if (key_index+1 >= key_bytes_len){
+                    return;
+                }
                 key_index += decrypted_data[key_index+1]+2;
             }else{
                 key_found = TRUE;
@@ -415,6 +418,8 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8  *decryption
         }
 
         if (key_found){
+            if (key_index+8 >= key_bytes_len)
+                return;
             /* Skip over the GTK header info, and don't copy past the end of the encrypted data */
             memcpy(szEncryptedKey, decrypted_data+key_index+8, key_bytes_len-key_index-8);
         }