https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254479
Bug ID: 254479
Summary: Kernel remote heap overflow in Realtek
RTL8188SU/RTL8191SU/RTL8192SU Wifi Cards driver
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: wireless
Assignee: wirel...@freebsd.org
Reporter: cutesmilee.busin...@gmail.com
rsu_raw_xmit() in the last if statement calls rsu_tx_start(), taking a
user-controlled mbuf as parameter.
at the end of the function m_copydata() is called, and it copies the
user-controlled mbuf with the length of the packet / the length of the mbuf
(which isn't checked), the smaller size is taken (the user can provide a big
payload), and the mbuf gets copied to the TX Descriptor struct (struct
r92s_tx_desc) which is 32 bytes.
these vulnerabilities are only for Realtek RTL8188SU/RTL8191SU/RTL8192SU wifi
cards (that are connected via USB?).
vulnerable code:
static int
rsu_tx_start(struct rsu_softc *sc, struct ieee80211_node *ni,
struct mbuf *m0, struct rsu_data *data)
{
struct ieee80211vap *vap = ni->ni_vap;
struct ieee80211_frame *wh;
struct ieee80211_key *k = NULL;
struct r92s_tx_desc *txd;
uint8_t type;
int prio = 0;
uint8_t which;
int hasqos;
int xferlen;
int qid;
[...]
xferlen = sizeof(*txd) + m0->m_pkthdr.len;
m_copydata(m0, 0, m0->m_pkthdr.len, (caddr_t)&txd[1]); // <- heap
overflow here
data->buflen = xferlen;
data->ni = ni;
data->m = m0;
STAILQ_INSERT_TAIL(&sc->sc_tx_pending[which], data, next);
/* start transfer, if any */
usbd_transfer_start(sc->sc_xfer[which]);
return (0);
}
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-wireless@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"
