Date: Thu, 23 Feb 2017 16:32:39 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217312] [patch] /sbin/ifconfig core dumps on bad WPS frame data Message-ID: <bug-217312-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217312 Bug ID: 217312 Summary: [patch] /sbin/ifconfig core dumps on bad WPS frame data Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: fbsd@opal.com Keywords: patch Created attachment 180244 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D180244&action= =3Dedit patch to detect bad length value in WPE IE attribute Thanks to Takashi Inoue at Nihon U for his efforts in debugging this. Some APs broadcast WPS IE frames with totally broken data. Ifconfig's printwpsie() loops through WPS frames printing the attributes out; if the frame's data is bad, printwpsie() can end up looking at out-of-bounds addre= sses causing ifconfig to bus error. This is an example of a bad WPS IE frame received... ielen=3D41, len=3D39 printwpsie() ie[0]=3D0xdd printwpsie() ie[1]=3D0x27 printwpsie() ie[2]=3D0x0 printwpsie() ie[3]=3D0x50 printwpsie() ie[4]=3D0xf2 printwpsie() ie[5]=3D0x4 printwpsie() ie[6]=3D0x10 <- id[0] printwpsie() ie[7]=3D0x4a <- id[1], id=3D0x104a VERSION printwpsie() ie[8]=3D0x4a <- len[0], broken should be 0 printwpsie() ie[9]=3D0x1 <- len[1] printwpsie() ie[10]=3D0x10 printwpsie() ie[11]=3D0x1 <- id[0] printwpsie() ie[12]=3D0x10 <- id[1], broken 0x0110 is not a valid ID value printwpsie() ie[13]=3D0x0 printwpsie() ie[14]=3D0x1 printwpsie() ie[15]=3D0x2 printwpsie() ie[16]=3D0x10 printwpsie() ie[17]=3D0x47 printwpsie() ie[18]=3D0x0 printwpsie() ie[19]=3D0x10 printwpsie() ie[20]=3D0xe5 printwpsie() ie[21]=3D0x85 printwpsie() ie[22]=3D0xf2 printwpsie() ie[23]=3D0xf8 printwpsie() ie[24]=3D0xf8 printwpsie() ie[25]=3D0x9a printwpsie() ie[26]=3D0x11 printwpsie() ie[27]=3D0x9a printwpsie() ie[28]=3D0x11 printwpsie() ie[29]=3D0x3b printwpsie() ie[30]=3D0x4b printwpsie() ie[31]=3D0x3b printwpsie() ie[32]=3D0x4b printwpsie() ie[33]=3D0x10 printwpsie() ie[34]=3D0xc3 printwpsie() ie[35]=3D0x10 printwpsie() ie[36]=3D0xc3 printwpsie() ie[37]=3D0x3c printwpsie() ie[38]=3D0x0 printwpsie() ie[39]=3D0x3c printwpsie() ie[40]=3D0x3c We do not currently have the manufacturer/model number of the offending dev= ice. We are attempting to get it and will post back here if/when we do. The attached patch to src/sbin/ifconfig/ifieee80211.c detects an invalid attribute length and aborts the loop, thereby handling the bad frame proper= ly. This also affects 11.0 and probably 10.0 too, please MFC. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217312-8>