https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284694

            Bug ID: 284694
           Summary: buffer overflow in ieee80211_init_suphtrates() (from
                    if_run.c)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: r...@lcs.mit.edu

A USB device claiming to be a "run" Ralink wifi adaptor can cause
ieee80211_init_suphtrates() to write beyond the end of the struct
ieee80211com ic_sup_htrates buffer (thus scribbling over
ic->ic_nchans &c) in the following way.

if_run.c's run_read_eeprom() reads val from the device's eeprom, and

                sc->ntxchains = (val >> 4) & 0xf;

so the device can cause ntxchains to be as large as 15.

Then run_read_eeprom() returns to run_attach(), which says:

                ic->ic_txstream = sc->ntxchains;

Then run_attach() / ieee802aa_ifattach() / ieee80211_chan_init() /
ieee80211_init_suphtrates():

void
ieee80211_init_suphtrates(struct ieee80211com *ic)
{
#define ADDRATE(x)      do {                                            \
        htrateset->rs_rates[htrateset->rs_nrates] = x;                  \
        htrateset->rs_nrates++;                                         \
} while (0)
        struct ieee80211_htrateset *htrateset = &ic->ic_sup_htrates;
        int i;

        memset(htrateset, 0, sizeof(struct ieee80211_htrateset));
        for (i = 0; i < ic->ic_txstream * 8; i++)
                ADDRATE(i);

So ieee80211_init_suphtrates() can call ADDRATE() up to 15*8 times.

But rs_rates[] is not that big: _ieee80211.h says:

#define IEEE80211_HTRATE_MAXSIZE        77
struct ieee80211_htrateset {
        uint8_t         rs_nrates;
        uint8_t         rs_rates[IEEE80211_HTRATE_MAXSIZE];
};

So the fields after ic_sup_htrates in ieee80211com can be overwritten.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to