wlantest: Fix buffer read overflow on CCMP encryption

The encryption code may write a full AES block to the end of the
buffer, so make sure the temporary buffer is long enough to fit that
data.

diff --git a/wlantest/ccmp.c b/wlantest/ccmp.c
index 12add4d4e9e5d85bc6821886b02c34e3c7f553ce..c632e399c34ea4ef574ebaa758d06621368643cd 100644 (file)
--- a/wlantest/ccmp.c
+++ b/wlantest/ccmp.c
@@ -109,7 +109,7 @@ u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
        if (data_len < 8 + 8)
                return NULL;
 
-       plain = os_malloc(data_len);
+       plain = os_malloc(data_len + AES_BLOCK_SIZE);
        if (plain == NULL)
                return NULL;
 
@@ -241,7 +241,7 @@ u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos,
        plen = len - hdrlen;
        last = plen % AES_BLOCK_SIZE;
 
-       crypt = os_malloc(hdrlen + 8 + plen + 8);
+       crypt = os_malloc(hdrlen + 8 + plen + 8 + AES_BLOCK_SIZE);
        if (crypt == NULL)
                return NULL;