Wireshark-bugs: [Wireshark-bugs] [Bug 6345] GUI crash on invalid IEEE 802.11 GAS frame

Date: Thu, 15 Sep 2011 08:51:48 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6345

Jouni Malinen <j@xxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #7022|                            |review_for_checkin?
               Flag|                            |

--- Comment #1 from Jouni Malinen <j@xxxxx> 2011-09-15 08:51:47 PDT ---
Created an attachment (id=7022)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7022)
ieee80211: Fix a GUI crash on invalid GAS frame

If the GAS Query Request/Response Length field is incorrect, the
dissector function may return a value that is larger than the remaining
packet buffer. This results in a Tagged parameters item being added with
-1 byte length since tvb_reported_length_remaining() reports -1 once the
offset goes beyond the end of the packet. Clicking on that item results
in Wireshark dying on Gtk-ERROR. Note: this does not show up in tshark
and as such, cannot apparently be triggered with fuzz-test.sh.

Fix this by refusing to dissect GAS frames that have too large length
field value. In addition, verify that tvb_reported_length_remaining() is
returning a value larger than 0 instead of non-zero (which could be -1)
to make the IEEE 802.11 dissector more robust against this type of
issues.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.