From 44b8597813d8a7341b5f51ddc501c4983c314402 Mon Sep 17 00:00:00 2001
From: Uwez Khan <uwezkhan053@gmail.com>
Date: Tue, 23 Jun 2026 22:49:28 +0530
Subject: [PATCH] bound capwap decap reads to caplen in dissectPacket

---
 src/NetworkInterface.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/NetworkInterface.cpp b/src/NetworkInterface.cpp
index 2d2dc581e9b0..4747221aecb9 100644
--- a/src/NetworkInterface.cpp
+++ b/src/NetworkInterface.cpp
@@ -3417,11 +3417,19 @@ bool NetworkInterface::dissectPacket(
             */
             u_short eth_type;
             ip_offset = ip_offset + ip_len + sizeof(struct ndpi_udphdr);
+
+            if ((ip_offset + 1) >= h->caplen) {
+              incStats(ingressPacket, h->ts.tv_sec, 0, NDPI_PROTOCOL_UNKNOWN,
+                       NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, 0, len_on_wire, 1,
+                       NULL /* srcMac */, NULL /* dstMac */);
+              goto dissect_packet_end;
+            }
+
             u_int8_t capwap_header_len =
                 ((*(u_int8_t*)&packet[ip_offset + 1]) >> 3) * 4;
             ip_offset = ip_offset + capwap_header_len + 24 + 8;
 
-            if (ip_offset >= h->len) {
+            if (ip_offset >= h->caplen) {
               incStats(ingressPacket, h->ts.tv_sec, 0, NDPI_PROTOCOL_UNKNOWN,
                        NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, 0, len_on_wire, 1,
                        NULL /* srcMac */, NULL /* dstMac */);