https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284694
Bug ID: 284694
Summary: buffer overflow in ieee80211_init_suphtrates() (from
if_run.c)
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: wireless
Assignee: wireless@FreeBSD.org
Reporter: r...@lcs.mit.edu
A USB device claiming to be a "run" Ralink wifi adaptor can cause
ieee80211_init_suphtrates() to write beyond the end of the struct
ieee80211com ic_sup_htrates buffer (thus scribbling over
ic->ic_nchans &c) in the following way.
if_run.c's run_read_eeprom() reads val from the device's eeprom, and
sc->ntxchains = (val >> 4) & 0xf;
so the device can cause ntxchains to be as large as 15.
Then run_read_eeprom() returns to run_attach(), which says:
ic->ic_txstream = sc->ntxchains;
Then run_attach() / ieee802aa_ifattach() / ieee80211_chan_init() /
ieee80211_init_suphtrates():
void
ieee80211_init_suphtrates(struct ieee80211com *ic)
{
#define ADDRATE(x) do { \
htrateset->rs_rates[htrateset->rs_nrates] = x; \
htrateset->rs_nrates++; \
} while (0)
struct ieee80211_htrateset *htrateset = &ic->ic_sup_htrates;
int i;
memset(htrateset, 0, sizeof(struct ieee80211_htrateset));
for (i = 0; i < ic->ic_txstream * 8; i++)
ADDRATE(i);
So ieee80211_init_suphtrates() can call ADDRATE() up to 15*8 times.
But rs_rates[] is not that big: _ieee80211.h says:
#define IEEE80211_HTRATE_MAXSIZE 77
struct ieee80211_htrateset {
uint8_t rs_nrates;
uint8_t rs_rates[IEEE80211_HTRATE_MAXSIZE];
};
So the fields after ic_sup_htrates in ieee80211com can be overwritten.
--
You are receiving this mail because:
You are the assignee for the bug.
