Explicitly check to make sure the header length isn't too short.

author Guy Harris <[email protected]>

Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)

committer Guy Harris <[email protected]>

Wed, 21 Nov 2018 23:57:50 +0000 (15:57 -0800)
author Guy Harris <[email protected]>
Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)
committer Guy Harris <[email protected]>
Wed, 21 Nov 2018 23:57:50 +0000 (15:57 -0800)
diff --git a/print-802_11.c b/print-802_11.c

index d8bf039de1ab0fff45654840a761825e921a4509..22337a40d8eeac9e5fff38b7264ea79bdff93f50 100644 (file)
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -3101,6 +3101,15 @@ ieee802_11_radio_print(netdissect_options *ndo,
         hdr = (const struct ieee80211_radiotap_header *)p;
  
         len = EXTRACT_LE_16BITS(&hdr->it_len);
+       if (len < sizeof(*hdr)) {
+               /*
+                * The length is the length of the entire header, so
+                * it must be as large as the fixed-length part of
+                * the header.
+                */
+               ND_PRINT((ndo, "%s", tstr));
+               return caplen;
+       }
  
         /*
          * If we don't have the entire radiotap header, just give up.
author	Guy Harris <[email protected]>
	Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)
committer	Guy Harris <[email protected]>
	Wed, 21 Nov 2018 23:57:50 +0000 (15:57 -0800)