Explicitly check to make sure the header length isn't too short.

author: Guy Harris <guy@alum.mit.edu> 2018-08-08 13:41:44 -0700
committer: Guy Harris <guy@alum.mit.edu> 2018-08-08 13:41:44 -0700
commit: cf99f0bc838a5f82391a72c1e074781cfacd4cef (patch)
tree: de01daa44307599d35af21a22fddfc14f65907bf /print-802_11.c
parent: 009bd798b51d25d1b7f0dc7629fe7350eff9cf73 (diff)
download: tcpdump-cf99f0bc838a5f82391a72c1e074781cfacd4cef.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/print-802_11.c b/print-802_11.c
index 227e1bf3..8a4b3bdb 100644
--- a/print-802_11.c
+++ b/print-802_11.c
@@ -3089,6 +3089,15 @@ ieee802_11_radio_print(netdissect_options *ndo,
 	hdr = (const struct ieee80211_radiotap_header *)p;
 
 	len = EXTRACT_LE_U_2(hdr->it_len);
+	if (len < sizeof(*hdr)) {
+		/*
+		 * The length is the length of the entire header, so
+		 * it must be as large as the fixed-length part of
+		 * the header.
+		 */
+		nd_print_trunc(ndo);
+		return caplen;
+	}
 
 	/*
 	 * If we don't have the entire radiotap header, just give up.
author	Guy Harris <guy@alum.mit.edu>	2018-08-08 13:41:44 -0700
committer	Guy Harris <guy@alum.mit.edu>	2018-08-08 13:41:44 -0700
commit	cf99f0bc838a5f82391a72c1e074781cfacd4cef (patch)
tree	de01daa44307599d35af21a22fddfc14f65907bf /print-802_11.c
parent	009bd798b51d25d1b7f0dc7629fe7350eff9cf73 (diff)
download	tcpdump-cf99f0bc838a5f82391a72c1e074781cfacd4cef.tar.gz