https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284694
Bug ID: 284694 Summary: buffer overflow in ieee80211_init_suphtrates() (from if_run.c) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: wireless Assignee: wireless@FreeBSD.org Reporter: r...@lcs.mit.edu A USB device claiming to be a "run" Ralink wifi adaptor can cause ieee80211_init_suphtrates() to write beyond the end of the struct ieee80211com ic_sup_htrates buffer (thus scribbling over ic->ic_nchans &c) in the following way. if_run.c's run_read_eeprom() reads val from the device's eeprom, and sc->ntxchains = (val >> 4) & 0xf; so the device can cause ntxchains to be as large as 15. Then run_read_eeprom() returns to run_attach(), which says: ic->ic_txstream = sc->ntxchains; Then run_attach() / ieee802aa_ifattach() / ieee80211_chan_init() / ieee80211_init_suphtrates(): void ieee80211_init_suphtrates(struct ieee80211com *ic) { #define ADDRATE(x) do { \ htrateset->rs_rates[htrateset->rs_nrates] = x; \ htrateset->rs_nrates++; \ } while (0) struct ieee80211_htrateset *htrateset = &ic->ic_sup_htrates; int i; memset(htrateset, 0, sizeof(struct ieee80211_htrateset)); for (i = 0; i < ic->ic_txstream * 8; i++) ADDRATE(i); So ieee80211_init_suphtrates() can call ADDRATE() up to 15*8 times. But rs_rates[] is not that big: _ieee80211.h says: #define IEEE80211_HTRATE_MAXSIZE 77 struct ieee80211_htrateset { uint8_t rs_nrates; uint8_t rs_rates[IEEE80211_HTRATE_MAXSIZE]; }; So the fields after ic_sup_htrates in ieee80211com can be overwritten. -- You are receiving this mail because: You are the assignee for the bug.