From e16fe46d7ac833d4bc6b75f68700be5362cb284e Mon Sep 17 00:00:00 2001 From: Matias Fontanini Date: Sat, 25 Nov 2017 17:12:30 -0800 Subject: [PATCH] Fix invalid memory accesses when parsing bogus RadioTap --- src/utils/radiotap_parser.cpp | 5 ++++- tests/src/radiotap_test.cpp | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/utils/radiotap_parser.cpp b/src/utils/radiotap_parser.cpp index e3d4f3b..cff4b16 100644 --- a/src/utils/radiotap_parser.cpp +++ b/src/utils/radiotap_parser.cpp @@ -152,6 +152,9 @@ RadioTapParser::RadioTapParser(const vector& buffer) current_flags_ = 0; } else { + if (TINS_UNLIKELY(buffer.size() < sizeof(RadioTapFlags))) { + throw malformed_packet(); + } start_ = &*buffer.begin(); end_ = start_ + buffer.size(); load_current_flags(); @@ -257,11 +260,11 @@ const uint8_t* RadioTapParser::find_options_start() const { // Skip fields before the flags one const RadioTapFlags* flags = get_flags_ptr(); while (flags->ext == 1) { + total_sz -= sizeof(RadioTapFlags); if (TINS_UNLIKELY(total_sz < sizeof(RadioTapFlags))) { throw malformed_packet(); } ++flags; - total_sz -= sizeof(RadioTapFlags); } return reinterpret_cast(flags) + sizeof(RadioTapFlags); } diff --git a/tests/src/radiotap_test.cpp b/tests/src/radiotap_test.cpp index c3c7f0c..7ac95f8 100644 --- a/tests/src/radiotap_test.cpp +++ b/tests/src/radiotap_test.cpp @@ -626,6 +626,14 @@ TEST_F(RadioTapTest, RadioTapParsingUsingEmptyBuffer) { EXPECT_FALSE(parser.has_field(RadioTap::ANTENNA)); } +TEST_F(RadioTapTest, RadioTapParsingUsingBogusBuffer) { + vector buffer; + for (int i = 0; i < 4; ++i) { + buffer.push_back(0xff); + } + EXPECT_THROW(RadioTapParser parser(buffer), malformed_packet); +} + TEST_F(RadioTapTest, RadioTapWritingEmptyBuffer) { vector buffer; RadioTapWriter writer(buffer);