mirror of
https://git.busybox.net/buildroot.git
synced 2024-12-15 00:03:39 +08:00
ac147527e2
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
25 lines
1.1 KiB
Diff
25 lines
1.1 KiB
Diff
Fix for buffer overflow CVE-2010-1159.
|
|
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
|
|
--- a/src/airodump-ng.c
|
|
+++ b/src/airodump-ng.c
|
|
@@ -2126,7 +2126,7 @@
|
|
st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 )
|
|
+ h80211[z + 3] + 4;
|
|
|
|
- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0)
|
|
+ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256)
|
|
{
|
|
// Ignore the packet trying to crash us.
|
|
goto write_packet;
|
|
@@ -2158,7 +2158,7 @@
|
|
st_cur->wpa.eapol_size = ( h80211[z + 2] << 8 )
|
|
+ h80211[z + 3] + 4;
|
|
|
|
- if ((int)pkh.len - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0)
|
|
+ if (caplen - z < st_cur->wpa.eapol_size || st_cur->wpa.eapol_size == 0 || caplen - z < 81 + 16 || st_cur->wpa.eapol_size > 256)
|
|
{
|
|
// Ignore the packet trying to crash us.
|
|
goto write_packet;
|