Ethereal-dev: [Ethereal-dev] 802.11 dissector: rates information element with zero bytes leads

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Sun, 25 Dec 2005 17:18:00 +0100 (CET)
Hello list,

>From the Debian bug database this bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342588

The rates information element with zero tag length leads to uninitialised
memory access, presenting bogus data for the element. The attached patch
takes care of that.

Thanx,
Jaap
Index: packet-ieee80211.c
===================================================================
--- packet-ieee80211.c	(revision 16893)
+++ packet-ieee80211.c	(working copy)
@@ -1380,6 +1380,12 @@
 
     case TAG_SUPP_RATES:
     case TAG_EXT_SUPP_RATES:
+      if (tag_len < 1)
+      {
+        proto_tree_add_text (tree, tvb, offset + 2, tag_len, "Tag length %u too short, must be > 0",
+                             tag_len);
+        break;
+      }
       tag_data_ptr = tvb_get_ptr (tvb, offset + 2, tag_len);
       for (i = 0, n = 0; i < tag_len && n < SHORT_STR; i++) {
         ret = snprintf (print_buff + n, SHORT_STR - n, "%2.1f%s ",