Fix some issues with Radiotap headers.

Only the BPF header must be contiguous. By treating Radiotap header specially, we ended up with uninitialized bytes at the beginning of 802.11 frames, and an equivalent amount truncated from the end. Also, we were not considering the length of the Radiotap header in checking if there was enough free space in the circular buffer. This could lead to overlapping/overwriting frames that should be dropped instead. Possibly related issues: * nmap/nmap#1001 * nmap/nmap#1028 * nmap/nmap#1036
Jaysonvn1234 · Oct 23, 2017 · 85c424b · 85c424b
1 parent 5d9e815
commit 85c424b
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/packetWin7/npf/npf/Read.c b/packetWin7/npf/npf/Read.c
@@ -1158,7 +1158,11 @@ NPF_TapExForEachOpen(
 					if (fres > TotalPacketSize)
 						fres = TotalPacketSize;
 
-					if (fres + sizeof(struct PacketHeader) > LocalData->Free)
+					if (fres + sizeof(struct PacketHeader)
+#ifdef HAVE_DOT11_SUPPORT
+							+ Dot11RadiotapHeaderSize
+#endif
+							> LocalData->Free)
 					{
 						LocalData->Dropped++;
 						IF_LOUD(DbgPrint("LocalData->Dropped++, fres = %d, LocalData->Free = %d\n", fres, LocalData->Free);)
@@ -1220,10 +1224,17 @@ NPF_TapExForEachOpen(
 							// the NewHeader structure, at least, otherwise we skip the producer
 							increment += Open->Size - LocalData->P; // at the beginning of the buffer (p = 0), and decrement the free bytes appropriately
 							LocalData->P = 0;
+							//the Radiotap header will be fragmented in the buffer (aka, it will skip the buffer boundary)
+							ToCopy = Open->Size - LocalData->P;
+							NdisMoveMappedMemory(LocalData->Buffer + LocalData->P, Dot11RadiotapHeader, ToCopy);
+							NdisMoveMappedMemory(LocalData->Buffer + 0, Dot11RadiotapHeader + ToCopy, Dot11RadiotapHeaderSize - ToCopy);
+							LocalData->P = Dot11RadiotapHeaderSize - ToCopy;
+						}
+						else
+						{
+							NdisMoveMappedMemory(LocalData->Buffer + LocalData->P, Dot11RadiotapHeader, Dot11RadiotapHeaderSize);
+							LocalData->P += Dot11RadiotapHeaderSize;
 						}
-
-						NdisMoveMappedMemory(LocalData->Buffer + LocalData->P, Dot11RadiotapHeader, Dot11RadiotapHeaderSize);
-						LocalData->P += Dot11RadiotapHeaderSize;
 						if (LocalData->P == Open->Size)
 							LocalData->P = 0;
 						increment += Dot11RadiotapHeaderSize;