From cfe9ba28ddc348064589d64c23ac580c6052ebd5 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 7 Jun 2016 15:58:01 -0700
Subject: [PATCH] Guarding against reading beyond packet data when accessing L2
 address in Radiotap header.

This is temporary until we clean up the preceding length check.
---
 src/iosource/Packet.cc | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index e8cd1f2b84..b5a16fa69d 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -310,18 +310,24 @@ void Packet::ProcessLayer2()
 					break;
 
 				case 0x01:
-					l2_dst = pdata + 16;
 					l2_src = pdata + 10;
+					l2_dst = pdata + 16;
 					break;
 
 				case 0x02:
-					l2_dst = pdata + 4;
 					l2_src = pdata + 16;
+					l2_dst = pdata + 4;
 					break;
 
 				case 0x03:
-					l2_dst = pdata + 16;
-					l2_src = pdata + 24;
+					// TODO: We should integrate this
+					// test into the length check above.
+					if ( pdata + 24 + l2_addr_len >= end_of_data )
+						{
+						l2_dst = pdata + 16;
+						l2_src = pdata + 24;
+						}
+
 					break;
 			}
 			}