From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 5 Apr 2011 16:53:57 +0000 (-0700)
Subject: Fix the handling of unknown tagged parameters in management frames.
X-Git-Tag: tcpdump-4.2.1~54^2~3
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/5b665ba92ff69d8b51bbd634187dd3d6fdb48fe4

Fix the handling of unknown tagged parameters in management frames.

Fetch the element length early in the process, rather than fetching it
each time we need it - even after we've advanced the pointer we are
using to fetch it (doing the latter means we fetch the wrong value when
we subtract it from the remaining length).
---

diff --git a/print-802_11.c b/print-802_11.c
index 385e6cb6..64c9f24d 100644
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -269,6 +269,7 @@ static int
 parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset,
     u_int length)
 {
+	u_int elementlen;
 	struct ssid_t ssid;
 	struct challenge_t challenge;
 	struct rates_t rates;
@@ -487,12 +488,13 @@ parse_elements(struct mgmt_body_t *pbody, const u_char *p, int offset,
 				return 0;
 			if (length < 2)
 				return 0;
-			if (!TTEST2(*(p + offset + 2), *(p + offset + 1)))
+			elementlen = *(p + offset + 1);
+			if (!TTEST2(*(p + offset + 2), elementlen))
 				return 0;
-			if (length < (u_int)(*(p + offset + 1) + 2))
+			if (length < elementlen + 2)
 				return 0;
-			offset += *(p + offset + 1) + 2;
-			length -= *(p + offset + 1) + 2;
+			offset += elementlen + 2;
+			length -= elementlen + 2;
 			break;
 		}
 	}