Fix invalid memory accesses when parsing bogus RadioTap

2026-01-23 02:35:57 +01:00 · 2017-11-25 17:12:30 -08:00
parent 39f3b24058
commit e16fe46d7a
2 changed files with 12 additions and 1 deletions
--- a/src/utils/radiotap_parser.cpp
+++ b/src/utils/radiotap_parser.cpp
@@ -152,6 +152,9 @@ RadioTapParser::RadioTapParser(const vector<uint8_t>& buffer)
        current_flags_ = 0;
    }
    else {
+        if (TINS_UNLIKELY(buffer.size() < sizeof(RadioTapFlags))) {
+            throw malformed_packet();
+        }
        start_ = &*buffer.begin();
        end_ = start_ + buffer.size();
        load_current_flags();
@@ -257,11 +260,11 @@ const uint8_t* RadioTapParser::find_options_start() const {
    // Skip fields before the flags one
    const RadioTapFlags* flags = get_flags_ptr();
    while (flags->ext == 1) {
+        total_sz -= sizeof(RadioTapFlags);
        if (TINS_UNLIKELY(total_sz < sizeof(RadioTapFlags))) {
            throw malformed_packet();
        }
        ++flags;
-        total_sz -= sizeof(RadioTapFlags);
    }
    return reinterpret_cast<const uint8_t*>(flags) + sizeof(RadioTapFlags);
 }
--- a/tests/src/radiotap_test.cpp
+++ b/tests/src/radiotap_test.cpp
@@ -626,6 +626,14 @@ TEST_F(RadioTapTest, RadioTapParsingUsingEmptyBuffer) {
    EXPECT_FALSE(parser.has_field(RadioTap::ANTENNA));
 }

+TEST_F(RadioTapTest, RadioTapParsingUsingBogusBuffer) {
+    vector<uint8_t> buffer;
+    for (int i = 0; i < 4; ++i) {
+        buffer.push_back(0xff);
+    }
+    EXPECT_THROW(RadioTapParser parser(buffer), malformed_packet);
+}
+
 TEST_F(RadioTapTest, RadioTapWritingEmptyBuffer) {
    vector<uint8_t> buffer;
    RadioTapWriter writer(buffer);