Merge pull request #322 from DDoSolitary/patch-radiotap-overflow-2

Buffer overflow fixes for radiotap.

include/tins/utils/radiotap_parser.h

@@ -114,7 +114,11 @@ public:
     RadioTap::option current_option();
 
     /**
-     * Gets the pointer at which the current option is located
+     * \brief Gets the pointer at which the current option is located
+     *
+     * A past-the-end pointer may be returned in case of malformed input or
+     * end of data. Its validity must be checked (e.g. using
+     * \ref RadioTapParser.has_fields) before dereference.
      */
     const uint8_t* current_option_ptr() const;
 

src/utils/radiotap_parser.cpp

@@ -65,7 +65,7 @@ const RadioTapParser::FieldMetadata RadioTapParser::RADIOTAP_METADATA[] = {
 };
 
 const uint32_t RadioTapParser::MAX_RADIOTAP_FIELD = sizeof(RADIOTAP_METADATA) /
-                                                    sizeof(FieldMetadata) + 1;
+                                                    sizeof(FieldMetadata);
 
 #if TINS_IS_LITTLE_ENDIAN
 TINS_BEGIN_PACK
@@ -135,9 +135,6 @@ void align_buffer(const uint8_t* buffer_start, const uint8_t*& buffer, uint32_t
     uint32_t offset = (buffer - buffer_start) & (n - 1);
     if (offset) {
         offset = n - offset;
-        if (TINS_UNLIKELY(offset > size)) {
-            throw malformed_packet();
-        }
         buffer += offset;
     }
 }