Wireshark · Wireshark-commits: [Wireshark-commits] rev 39024: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ieee80211.c

Wireshark-commits: [Wireshark-commits] rev 39024: /trunk/epan/dissectors/ /trunk/epan/dissectors/:

Date: Fri, 16 Sep 2011 05:16:18 GMT

http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=39024

User: etxrab
Date: 2011/09/15 10:16 PM

Log:
 From Jouni Malinen:
 If the GAS Query Request/Response Length field is incorrect, the
 dissector function may return a value that is larger than the remaining
 packet buffer. This results in a Tagged parameters item being added with
 -1 byte length since tvb_reported_length_remaining() reports -1 once the
 offset goes beyond the end of the packet. Clicking on that item results
 in Wireshark dying on Gtk-ERROR. Note: this does not show up in tshark
 and as such, cannot apparently be triggered with fuzz-test.sh.
 
 Fix this by refusing to dissect GAS frames that have too large length
 field value. In addition, verify that tvb_reported_length_remaining() is
 returning a value larger than 0 instead of non-zero (which could be -1)
 to make the IEEE 802.11 dissector more robust against this type of
 issues.
 
 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6345

Directory: /trunk/epan/dissectors/
  Changes    Path                  Action
  +19 -4     packet-ieee80211.c    Modified

Prev by Date: [Wireshark-commits] rev 39023: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ieee80211.c
Next by Date: [Wireshark-commits] rev 39025: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ieee80211.c
Previous by thread: [Wireshark-commits] rev 39023: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ieee80211.c
Next by thread: [Wireshark-commits] rev 39025: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ieee80211.c
Index(es):
- Date
- Thread