Date: Thu, 01 Apr 2021 11:45:25 +0000 From: cutesmilee <cutesmilee.research@protonmail.com> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Missing size checks in ieee80211_ioctl_get80211() could lead to stack overflows Message-ID: <GSNhCW7AFLO0FFwgrcXw7T0amOHspWQ9rmfUJMOYZFReu_8SBnb3qwHEKdSBGSGLvxfLL2n6FtS2tie5OtcptMtqY_9XJ_oN9ho-rfAdQd4=@protonmail.com>
index | next in thread | raw e-mail
ieee80211_ioctl_get80211() doesn't check the length provided by the user, and this can lead to out-of-bounds read and write in the stack, which can lead to a denial of service. this issue is present in the latest FreeBSD sources. ireq->i_len is a user provided length (it's a uint16_t so can be 65536 at max). for IEEE80211_IOC_SSID command, in the IEEE80211_S_SCAN or default case an out-of-bounds copy to tmpssid (32 bytes stack buffer) can happen if vap->id_des_ssid[0].len is set to a large value, also an out-of-bounds read from tmpssid will happen due to a copyout() using the same size. the same thing can happen with IEEE80211_IOC_WEPKEY (just with another user controlled size).home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?GSNhCW7AFLO0FFwgrcXw7T0amOHspWQ9rmfUJMOYZFReu_8SBnb3qwHEKdSBGSGLvxfLL2n6FtS2tie5OtcptMtqY_9XJ_oN9ho-rfAdQd4=>