3rd-party/libtins
1
0
Fork 0
mirror of https://github.com/mfontanini/libtins synced 2026-01-25 03:31:36 +01:00
Code Issues Releases Wiki Activity

Fix invalid memory accesses when parsing bogus RadioTap

Browse Source
This commit is contained in:
Matias Fontanini
2017-11-25 17:12:30 -08:00
parent 39f3b24058
commit e16fe46d7a
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/utils/radiotap_parser.cpp
View File

@@ -152,6 +152,9 @@ RadioTapParser::RadioTapParser(const vector<uint8_t>& buffer)
current_flags_ = 0;
}
else {
if (TINS_UNLIKELY(buffer.size() < sizeof(RadioTapFlags))) {
throw malformed_packet();
}
start_ = &*buffer.begin();
end_ = start_ + buffer.size();
load_current_flags();
@@ -257,11 +260,11 @@ const uint8_t* RadioTapParser::find_options_start() const {
// Skip fields before the flags one
const RadioTapFlags* flags = get_flags_ptr();
while (flags->ext == 1) {
total_sz -= sizeof(RadioTapFlags);
if (TINS_UNLIKELY(total_sz < sizeof(RadioTapFlags))) {
throw malformed_packet();
}
++flags;
total_sz -= sizeof(RadioTapFlags);
}
return reinterpret_cast<const uint8_t*>(flags) + sizeof(RadioTapFlags);
}