Wireshark-commits: [Wireshark-commits] master-2.6 1b52f99: dot11crypt: add bounds check for TDLS el

From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Fri, 18 May 2018 13:18:11 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b52f9929238ce3948ec924ae4f9456b5e9df558
Submitter: Peter Wu (peter@xxxxxxxxxxxxx)
Changed: branch: master-2.6
Repository: wireshark

Commits:

1b52f99 by Peter Wu (peter@xxxxxxxxxxxxx):

    dot11crypt: add bounds check for TDLS elements
    
    Fixes a buffer overrun (read) of at most 255 bytes which could occur
    while processing FTE in Dot11DecryptTDLSDeriveKey.
    
    While at it, according to 802.11-2016 9.4.1.9, "A status code of
    SUCCESS_POWER_SAVE_MODE also indicates a successful operation.". No idea
    when it makes a difference, but let's implement it too.
    
    Bug: 14686
    Change-Id: Ia7a41cd965704a4d51fb5a4dc4d01885fc17375c
    Fixes: v2.1.0rc0-1825-g6991149557 ("[airpdcap] Add support to decrypt TDLS traffic")
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8189
    Reviewed-on: https://code.wireshark.org/review/27618
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    (cherry picked from commit f440561b8c49c7863191c1ff2b36debed4d8d620)
    Reviewed-on: https://code.wireshark.org/review/27640
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    

Actions performed:

    from  e50f7ce   proto.c: do not dereference a NULL pointer in proto_item_get_len() on first pass
    adds  1b52f99   dot11crypt: add bounds check for TDLS elements


Summary of changes:
 epan/crypt/dot11decrypt.c | 40 ++++++++++++++++++++++++++++++----------
 1 file changed, 30 insertions(+), 10 deletions(-)