URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b5d062ba57efd4b78f83518ac868fcb25d9bc243
Submitter: Michael Mann (mmann78@xxxxxxxxxxxx)
Changed: branch: master
Repository: wireshark
Commits:
b5d062b by Peter Wu (peter@xxxxxxxxxxxxx):
Fix buffer overflow in 802.11 decryption
The sha1 function outputs a multiple of 20 bytes while the ptk buffer
has only a size of 64 bytes. Follow the hint in 802.11i-2004, page 164
and use an output buffer of 80 octets.
Noticed when running Wireshark with ASAN, on exit it would try to free a
"next" pointer which was filled with sha1 garbage. It probably got
triggered via 3f8fbb734915aaf74eb006898e8fabb007afbf48 which made
AirPDcap responsible for managing its own memory.
Bug: 10849
Change-Id: I10c1b9c2e224e5571d746c01fc389f86d25994a1
Reviewed-on: https://code.wireshark.org/review/7645
Reviewed-by: Evan Huus <eapache@xxxxxxxxx>
Petri-Dish: Michael Mann <mmann78@xxxxxxxxxxxx>
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Peter Wu <peter@xxxxxxxxxxxxx>
Reviewed-by: Michael Mann <mmann78@xxxxxxxxxxxx>
Actions performed:
from 90797b9 relay USB control messages without payload to protocol-specific dissectors
adds b5d062b Fix buffer overflow in 802.11 decryption
Summary of changes:
epan/crypt/airpdcap.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)