aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni.malinen@atheros.com>2010-12-17 09:02:56 (GMT)
committerJouni Malinen <j@w1.fi>2010-12-17 09:02:56 (GMT)
commit71a7e936e12d950fbaf613022a060a9ae07750d1 (patch)
tree18c0b38e60d90b6ef4a43a8c890cdb54926a7de2
parent4d00fe48e3ce935cc04c668c0b0dfd3d94719f5a (diff)
downloadhostap-71a7e936e12d950fbaf613022a060a9ae07750d1.zip
hostap-71a7e936e12d950fbaf613022a060a9ae07750d1.tar.gz
hostap-71a7e936e12d950fbaf613022a060a9ae07750d1.tar.bz2
wlantest: Fix buffer read overflow on CCMP encryption
The encryption code may write a full AES block to the end of the buffer, so make sure the temporary buffer is long enough to fit that data.
-rw-r--r--wlantest/ccmp.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/wlantest/ccmp.c b/wlantest/ccmp.c
index 12add4d..c632e39 100644
--- a/wlantest/ccmp.c
+++ b/wlantest/ccmp.c
@@ -109,7 +109,7 @@ u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
if (data_len < 8 + 8)
return NULL;
- plain = os_malloc(data_len);
+ plain = os_malloc(data_len + AES_BLOCK_SIZE);
if (plain == NULL)
return NULL;
@@ -241,7 +241,7 @@ u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos,
plen = len - hdrlen;
last = plen % AES_BLOCK_SIZE;
- crypt = os_malloc(hdrlen + 8 + plen + 8);
+ crypt = os_malloc(hdrlen + 8 + plen + 8 + AES_BLOCK_SIZE);
if (crypt == NULL)
return NULL;