Explicitly check to make sure the header length isn't too short.

author Guy Harris <[email protected]>

Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)

committer Guy Harris <[email protected]>

Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)
author Guy Harris <[email protected]>
Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)
committer Guy Harris <[email protected]>
Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)
diff --git a/print-802_11.c b/print-802_11.c

index 227e1bf37e7ee3a61d6b734712db57322aaa53d3..8a4b3bdb56338eb4fc073e2b017a778fb14b0e08 100644 (file)
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -3089,6 +3089,15 @@ ieee802_11_radio_print(netdissect_options *ndo,
         hdr = (const struct ieee80211_radiotap_header *)p;
  
         len = EXTRACT_LE_U_2(hdr->it_len);
+       if (len < sizeof(*hdr)) {
+               /*
+                * The length is the length of the entire header, so
+                * it must be as large as the fixed-length part of
+                * the header.
+                */
+               nd_print_trunc(ndo);
+               return caplen;
+       }
  
         /*
          * If we don't have the entire radiotap header, just give up.
author	Guy Harris <[email protected]>
	Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)
committer	Guy Harris <[email protected]>
	Wed, 8 Aug 2018 20:41:44 +0000 (13:41 -0700)