---
scan.c | 22 +++++++++++++++++++++-
1 files changed, 21 insertions(+), 1 deletions(-)
diff --git a/scan.c b/scan.c
index 720c48d..9698f9f 100644
--- a/scan.c
+++ b/scan.c
@@ -317,9 +317,12 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
}
count = data[0] | (data[1] << 8);
+ if (2 + (count * 4) > len)
+ goto invalid;
+
tab_on_first(&first);
printf("\t * Pairwise ciphers:");
- for (i=0; i<count; i++) {
+ for (i = 0; i < count; i++) {
printf(" ");
print_cipher(data + 2 + (i * 4));
}
@@ -335,6 +338,9 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
}
count = data[0] | (data[1] << 8);
+ if (2 + (count * 4) > len)
+ goto invalid;
+
tab_on_first(&first);
printf("\t * Authentication suites:");
for (i = 0; i < count; i++) {
@@ -352,6 +358,20 @@ static void print_rsn_ie(const char *defcipher, const char *defauth,
capa = data[0] | (data[1] << 8);
tab_on_first(&first);
printf("\t * Capabilities: 0x%.4x\n", capa);
+
+ data += 2;
+ len -= 2;
+
+invalid:
+ if (len != 0) {
+ printf("\t\t * bogus tail data (%d):", len);
+ while (len) {
+ printf(" %.2x", *data);
+ data++;
+ len--;
+ }
+ printf("\n");
+ }
}
static void print_rsn(const uint8_t type, uint8_t len, const uint8_t *data)
--
1.6.0.6
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
