URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7c670bbd48420da45a2c741fcec20c6deb3f30bf
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master-1.12
Repository: wireshark
Commits:
7c670bb by Peter Wu (peter@xxxxxxxxxxxxx):
Fix buffer overflow in 802.11 decryption
The sha1 function outputs a multiple of 20 bytes while the ptk buffer
has only a size of 64 bytes. Follow the hint in 802.11i-2004, page 164
and use an output buffer of 80 octets.
Noticed when running Wireshark with ASAN, on exit it would try to free a
"next" pointer which was filled with sha1 garbage. It probably got
triggered via 3f8fbb734915aaf74eb006898e8fabb007afbf48 which made
AirPDcap responsible for managing its own memory.
Bug: 10849
Change-Id: I10c1b9c2e224e5571d746c01fc389f86d25994a1
Reviewed-on: https://code.wireshark.org/review/7645
Reviewed-by: Evan Huus <eapache@xxxxxxxxx>
Petri-Dish: Michael Mann <mmann78@xxxxxxxxxxxx>
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Peter Wu <peter@xxxxxxxxxxxxx>
Reviewed-by: Michael Mann <mmann78@xxxxxxxxxxxx>
(cherry picked from commit b5d062ba57efd4b78f83518ac868fcb25d9bc243)
Reviewed-on: https://code.wireshark.org/review/7646
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
Actions performed:
from cdb1fc6 websocket: avoid recursion, use tcp_dissect_pdus
adds 7c670bb Fix buffer overflow in 802.11 decryption
Summary of changes:
epan/crypt/airpdcap.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)