From 71a7e936e12d950fbaf613022a060a9ae07750d1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 17 Dec 2010 11:02:56 +0200 Subject: [PATCH] wlantest: Fix buffer read overflow on CCMP encryption The encryption code may write a full AES block to the end of the buffer, so make sure the temporary buffer is long enough to fit that data. --- wlantest/ccmp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wlantest/ccmp.c b/wlantest/ccmp.c index 12add4d4e..c632e399c 100644 --- a/wlantest/ccmp.c +++ b/wlantest/ccmp.c @@ -109,7 +109,7 @@ u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr, if (data_len < 8 + 8) return NULL; - plain = os_malloc(data_len); + plain = os_malloc(data_len + AES_BLOCK_SIZE); if (plain == NULL) return NULL; @@ -241,7 +241,7 @@ u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos, plen = len - hdrlen; last = plen % AES_BLOCK_SIZE; - crypt = os_malloc(hdrlen + 8 + plen + 8); + crypt = os_malloc(hdrlen + 8 + plen + 8 + AES_BLOCK_SIZE); if (crypt == NULL) return NULL;