From: Guy Harris <gharris@sonic.net>
Date: Mon, 19 Jul 2021 01:45:23 +0000 (-0700)
Subject: 802.11: fetch the CF and TIM IEs a field at a time.
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/0ff8efa84a862c47025e17c2fe52d9c91c6152a4

802.11: fetch the CF and TIM IEs a field at a time.

That should squelch Coverity CIDs 1487524 and 1487523; it also means
that we convert the 2-byte fields from little-endian byte order to host
order, and also avoids issues with padding in the structures we use.
---

diff --git a/print-802_11.c b/print-802_11.c
index 1600d0e7..d2f0f35b 100644
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -1277,9 +1277,18 @@ parse_elements(netdissect_options *ndo,
 				length -= cf.length;
 				break;
 			}
-			memcpy(&cf.count, p + offset, 6);
-			offset += 6;
-			length -= 6;
+			cf.count = GET_U_1(p + offset);
+			offset += 1;
+			length -= 1;
+			cf.period = GET_U_1(p + offset);
+			offset += 1;
+			length -= 1;
+			cf.max_duration = GET_LE_U_2(p + offset);
+			offset += 2;
+			length -= 2;
+			cf.dur_remaining = GET_LE_U_2(p + offset);
+			offset += 2;
+			length -= 2;
 			/*
 			 * Present and not truncated.
 			 *
@@ -1303,10 +1312,15 @@ parse_elements(netdissect_options *ndo,
 			}
 			if (tim.length - 3U > sizeof(tim.bitmap))
 				return 0;
-			memcpy(&tim.count, p + offset, 3);
-			offset += 3;
-			length -= 3;
-
+			tim.count = GET_U_1(p + offset);
+			offset += 1;
+			length -= 1;
+			tim.period = GET_U_1(p + offset);
+			offset += 1;
+			length -= 1;
+			tim.bitmap_control = GET_U_1(p + offset);
+			offset += 1;
+			length -= 1;
 			memcpy(tim.bitmap, p + offset, tim.length - 3);
 			offset += tim.length - 3;
 			length -= tim.length - 3;