wlantest: Fix buffer read overflow on CCMP encryption

The encryption code may write a full AES block to the end of the
buffer, so make sure the temporary buffer is long enough to fit that
data.
This commit is contained in:
Jouni Malinen 2010-12-17 11:02:56 +02:00 committed by Jouni Malinen
parent 4d00fe48e3
commit 71a7e936e1

View file

@ -109,7 +109,7 @@ u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
if (data_len < 8 + 8) if (data_len < 8 + 8)
return NULL; return NULL;
plain = os_malloc(data_len); plain = os_malloc(data_len + AES_BLOCK_SIZE);
if (plain == NULL) if (plain == NULL)
return NULL; return NULL;
@ -241,7 +241,7 @@ u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos,
plen = len - hdrlen; plen = len - hdrlen;
last = plen % AES_BLOCK_SIZE; last = plen % AES_BLOCK_SIZE;
crypt = os_malloc(hdrlen + 8 + plen + 8); crypt = os_malloc(hdrlen + 8 + plen + 8 + AES_BLOCK_SIZE);
if (crypt == NULL) if (crypt == NULL)
return NULL; return NULL;