From 72a54376bc6bbfb4fd86b34e9fb5e22448b61d34 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 18 Oct 2023 10:25:34 +0200 Subject: [PATCH] IEEE802_11: Fix buffer-overflow due to not accounting for the amsdu header The fuzzer generated input where data length left was 14 and the amsdu_len field set to 14. That caused buffer overread due not taking into account the amsdu header length of 14. --- src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index bd9d913f78..a03b08cd64 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -105,7 +105,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* // This is the length of everything after the A-MSDU subframe header. size_t amsdu_len = (data[12] << 8) + data[13]; - if ( len < amsdu_len ) + if ( len < amsdu_len + 14 ) { Weird("truncated_802_11_amsdu_packet", packet); return false;