blob: 634a01e391f34d5990edb2051748f303023a181a [file] [log] [blame]
Fix for buffer overflow CVE-2010-1159.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
--- a/src/airodump-ng.c
+++ b/src/airodump-ng.c
@@ -2126,7 +2126,7 @@
st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 )
+ h80211[z + 3] + 4;
- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0)
+ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256)
{
// Ignore the packet trying to crash us.
goto write_packet;
@@ -2158,7 +2158,7 @@
st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 )
+ h80211[z + 3] + 4;
- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0)
+ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256)
{
// Ignore the packet trying to crash us.
goto write_packet;