ieee80211_ioctl_get80211() doesn't check the length provided by the user, and this can lead to out-of-bounds read and write in the stack, which can lead to a denial of service. this issue is present in the latest FreeBSD sources. ireq->i_len is a user provided length (it's a uint16_t so can be 65536 at max). for IEEE80211_IOC_SSID command, in the IEEE80211_S_SCAN or default case an out-of-bounds copy to tmpssid (32 bytes stack buffer) can happen if vap->id_des_ssid[0].len is set to a large value, also an out-of-bounds read from tmpssid will happen due to a copyout() using the same size. the same thing can happen with IEEE80211_IOC_WEPKEY (just with another user controlled size). _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Missing size checks in ieee80211_ioctl_get80211() could lead to stack overflows
cutesmilee via freebsd-security Fri, 02 Apr 2021 01:02:15 -0700
