Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'topic/jgras/802-11-header' of https://github.com/J-Gras/bro

Browse source 
Added one more range check.
This commit is contained in:
Robin Sommer 2016-06-14 17:31:08 -07:00
commit e69f7f85d1
1 changed files with 55 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

99
src/iosource/Packet.cc
View file

@ -267,30 +267,19 @@ void Packet::ProcessLayer2()
Weird("truncated_radiotap_header"); Weird("truncated_radiotap_header");
return; return;
} }
// Skip over the RadioTap header // Skip over the RadioTap header
int rtheader_len = (pdata[3] << 8) + pdata[2]; int rtheader_len = (pdata[3] << 8) + pdata[2];
if ( pdata + rtheader_len >= end_of_data ) if ( pdata + rtheader_len >= end_of_data )
{ {
Weird("truncated_radiotap_header"); Weird("truncated_radiotap_header");
return; return;
} }
pdata += rtheader_len; pdata += rtheader_len;
u_char len_80211 = 0; u_char len_80211 = 24; // minimal length of data frames
int type_80211 = pdata[0];
if ( (type_80211 >> 4) & 0x04 )
{
//identified a null frame (we ignore for now). no weird.
return;
}
// Look for the QoS indicator bit.
if ( (type_80211 >> 4) & 0x08 )
len_80211 = 26;
else
len_80211 = 24;
if ( pdata + len_80211 >= end_of_data ) if ( pdata + len_80211 >= end_of_data )
{ {
@ -298,40 +287,62 @@ void Packet::ProcessLayer2()
return; return;
} }
// Look for data frames u_char fc_80211 = pdata[0]; // Frame Control field
if ( type_80211 & 0x08 )
// Skip non-data frame types (management & control).
if ( ! ((fc_80211 >> 2) & 0x02) )
return;
// Skip subtypes without data.
if ( (fc_80211 >> 4) & 0x04 )
return;
// 'To DS' and 'From DS' flags set indicate use of the 4th
// address field.
if ( (pdata[1] & 0x03) == 0x03 )
len_80211 += l2_addr_len;
// Look for the QoS indicator bit.
if ( (fc_80211 >> 4) & 0x08 )
{ {
// Determine link-layer addresses based // Skip in case of A-MSDU subframes indicated by QoS
// on 'To DS' and 'From DS' flags // control field.
switch ( pdata[1] & 0x03 ) { if ( pdata[len_80211] & 0x80)
case 0x00: return;
l2_dst = pdata + 4;
l2_src = pdata + 10;
break;
case 0x01: len_80211 += 2;
l2_src = pdata + 10;
l2_dst = pdata + 16;
break;
case 0x02:
l2_src = pdata + 16;
l2_dst = pdata + 4;
break;
case 0x03:
// TODO: We should integrate this
// test into the length check above.
if ( pdata + 24 + l2_addr_len >= end_of_data )
{
l2_dst = pdata + 16;
l2_src = pdata + 24;
}
break;
} }
if ( pdata + len_80211 >= end_of_data )
{
Weird("truncated_radiotap_header");
return;
} }
// Determine link-layer addresses based
// on 'To DS' and 'From DS' flags
switch ( pdata[1] & 0x03 ) {
case 0x00:
l2_src = pdata + 10;
l2_dst = pdata + 4;
break;
case 0x01:
l2_src = pdata + 10;
l2_dst = pdata + 16;
break;
case 0x02:
l2_src = pdata + 16;
l2_dst = pdata + 4;
break;
case 0x03:
l2_src = pdata + 24;
l2_dst = pdata + 16;
break;
}
// skip 802.11 data header // skip 802.11 data header
pdata += len_80211; pdata += len_80211;