mirrors/tcpdump
0
0
Fork 0
mirror of https://github.com/the-tcpdump-group/tcpdump.git synced 2024-11-27 20:14:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Uniformly use IEEE802_11_TSTAMP_LEN as the 802.11 timestamp length and

Browse Source 
IEEE802_11_AP_LEN as the length of the previous AP in reassociation
frame.

Before copying variable-length fields from a management frame IE, make
sure the length isn't too large.
This commit is contained in:
guy 2005-10-17 07:58:56 +00:00
parent 9e349e88a7
commit c589777d74
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ieee802_11.h
View File

@ -1,4 +1,4 @@
/* @(#) $Header: /tcpdump/master/tcpdump/ieee802_11.h,v 1.9 2003-07-22 17:36:57 guy Exp $ (LBL) */
/* @(#) $Header: /tcpdump/master/tcpdump/ieee802_11.h,v 1.10 2005-10-17 07:58:56 guy Exp $ (LBL) */
/*
* Copyright (c) 2001
* Fortress Technologies
@ -199,12 +199,12 @@ struct tim_t {
struct mgmt_body_t {
u_int8_t timestamp[8];
u_int8_t timestamp[IEEE802_11_TSTAMP_LEN];
u_int16_t beacon_interval;
u_int16_t listen_interval;
u_int16_t status_code;
u_int16_t aid;
u_char ap[6];
u_char ap[IEEE802_11_AP_LEN];
u_int16_t reason_code;
u_int16_t auth_alg;
u_int16_t auth_trans_seq_num;

12
print-802_11.c
View File

@ -22,7 +22,7 @@
#ifndef lint
static const char rcsid[] _U_ =
"@(#) $Header: /tcpdump/master/tcpdump/print-802_11.c,v 1.36 2005-07-30 21:37:20 guy Exp $ (LBL)";
"@(#) $Header: /tcpdump/master/tcpdump/print-802_11.c,v 1.37 2005-10-17 07:58:57 guy Exp $ (LBL)";
#endif
#ifdef HAVE_CONFIG_H
@ -132,6 +132,8 @@ parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset)
offset += 2;
if (pbody->ssid.length <= 0)
break;
if (pbody->ssid.length > 32)
return 0;
if (!TTEST2(*(p + offset), pbody->ssid.length))
return 0;
memcpy(&pbody->ssid.ssid, p + offset,
@ -146,6 +148,8 @@ parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset)
offset += 2;
if (pbody->challenge.length <= 0)
break;
if (pbody->challenge.length > 253)
return 0;
if (!TTEST2(*(p + offset), pbody->challenge.length))
return 0;
memcpy(&pbody->challenge.text, p + offset,
@ -160,6 +164,8 @@ parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset)
offset += 2;
if (pbody->rates.length <= 0)
break;
if (pbody->rates.length > 8)
return 0;
if (!TTEST2(*(p + offset), pbody->rates.length))
return 0;
memcpy(&pbody->rates.rate, p + offset,
@ -190,6 +196,8 @@ parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset)
if (pbody->tim.length <= 3)
break;
if (pbody->rates.length > 251)
return 0;
if (!TTEST2(*(p + offset), pbody->tim.length - 3))
return 0;
memcpy(pbody->tim.bitmap, p + (pbody->tim.length - 3),
@ -223,7 +231,7 @@ handle_beacon(const u_char *p)
if (!TTEST2(*p, IEEE802_11_TSTAMP_LEN + IEEE802_11_BCNINT_LEN +
IEEE802_11_CAPINFO_LEN))
return 0;
memcpy(&pbody.timestamp, p, 8);
memcpy(&pbody.timestamp, p, IEEE802_11_TSTAMP_LEN);
offset += IEEE802_11_TSTAMP_LEN;
pbody.beacon_interval = EXTRACT_LE_16BITS(p+offset);
offset += IEEE802_11_BCNINT_LEN;