URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b52f9929238ce3948ec924ae4f9456b5e9df558
Submitter: Peter Wu (peter@xxxxxxxxxxxxx)
Changed: branch: master-2.6
Repository: wireshark
Commits:
1b52f99 by Peter Wu (peter@xxxxxxxxxxxxx):
dot11crypt: add bounds check for TDLS elements
Fixes a buffer overrun (read) of at most 255 bytes which could occur
while processing FTE in Dot11DecryptTDLSDeriveKey.
While at it, according to 802.11-2016 9.4.1.9, "A status code of
SUCCESS_POWER_SAVE_MODE also indicates a successful operation.". No idea
when it makes a difference, but let's implement it too.
Bug: 14686
Change-Id: Ia7a41cd965704a4d51fb5a4dc4d01885fc17375c
Fixes: v2.1.0rc0-1825-g6991149557 ("[airpdcap] Add support to decrypt TDLS traffic")
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8189
Reviewed-on: https://code.wireshark.org/review/27618
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
(cherry picked from commit f440561b8c49c7863191c1ff2b36debed4d8d620)
Reviewed-on: https://code.wireshark.org/review/27640
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Actions performed:
from e50f7ce proto.c: do not dereference a NULL pointer in proto_item_get_len() on first pass
adds 1b52f99 dot11crypt: add bounds check for TDLS elements
Summary of changes:
epan/crypt/dot11decrypt.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)