Wireshark-bugs: [Wireshark-bugs] [Bug 4505] Wireshark crashes during IEEE 802.15.4 decryption

Date: Fri, 19 Feb 2010 16:08:06 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4505

Owen Kirby <osk@xxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #4309|                            |review_for_checkin?
               Flag|                            |

--- Comment #5 from Owen Kirby <osk@xxxxxxxxxx> 2010-02-19 16:07:58 PST ---
Created an attachment (id=4309)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4309)
Fix for malformed IEEE 802.15.4 decryption.

I found the cause of the malformed packets, and it appears to have been caused
by an incorrect length computation in dissect_ieee802154_decrypt(). This length
would then cause a buffer overflow that gets caught by the dissector's
exception handler.

This patch:
  - Fixes the overflow that was causing the malformed packets.
  - Removes the MIC before returning an unencrypted payload.
  - Fixes error handling in cases with a zero-length payload.
  - Implements MIC checking for packets without encryption.
  - Removed the SNAPLEN_TOO_SHORT error code. We can still decrypt a truncated
payload, we just can't authenticate it.
  - Removed the NO_PAYLOAD error code, this case is now handled a little more
gracefully using a tvb subset.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.