| Fix for buffer overflow CVE-2010-1159. |
| |
| Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> |
| |
| --- a/src/airodump-ng.c |
| +++ b/src/airodump-ng.c |
| @@ -2126,7 +2126,7 @@ |
| st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 ) |
| + h80211[z + 3] + 4; |
| |
| - if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0) |
| + if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256) |
| { |
| // Ignore the packet trying to crash us. |
| goto write_packet; |
| @@ -2158,7 +2158,7 @@ |
| st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 ) |
| + h80211[z + 3] + 4; |
| |
| - if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0) |
| + if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256) |
| { |
| // Ignore the packet trying to crash us. |
| goto write_packet; |