Wireshark-commits: [Wireshark-commits] master-1.10 214b64a: Fix buffer overflow in 802.11 decryptio
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Thu, 12 Mar 2015 05:20:01 +0000 (UTC)
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=214b64a0d0a1d8aba65291d55c995d2a0a09295c
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master-1.10
Repository: wireshark

Commits:

214b64a by Peter Wu (peter@xxxxxxxxxxxxx):

    Fix buffer overflow in 802.11 decryption
    
    The sha1 function outputs a multiple of 20 bytes while the ptk buffer
    has only a size of 64 bytes. Follow the hint in 802.11i-2004, page 164
    and use an output buffer of 80 octets.
    
    Noticed when running Wireshark with ASAN, on exit it would try to free a
    "next" pointer which was filled with sha1 garbage. It probably got
    triggered via 3f8fbb734915aaf74eb006898e8fabb007afbf48 which made
    AirPDcap responsible for managing its own memory.
    
    Bug: 10849
    Change-Id: I10c1b9c2e224e5571d746c01fc389f86d25994a1
    Reviewed-on: https://code.wireshark.org/review/7645
    Reviewed-by: Evan Huus <eapache@xxxxxxxxx>
    Petri-Dish: Michael Mann <mmann78@xxxxxxxxxxxx>
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Peter Wu <peter@xxxxxxxxxxxxx>
    Reviewed-by: Michael Mann <mmann78@xxxxxxxxxxxx>
    (cherry picked from commit b5d062ba57efd4b78f83518ac868fcb25d9bc243)
    Reviewed-on: https://code.wireshark.org/review/7647
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    

Actions performed:

    from  eb4e768   fix fields format when printing
    adds  214b64a   Fix buffer overflow in 802.11 decryption


Summary of changes:
 epan/crypt/airpdcap.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)