[Bug 269347] 802.11 mesh peer can overrun b[] in mesh_decap()
Date: Sun, 05 Feb 2023 19:59:18 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269347
Bug ID: 269347
Summary: 802.11 mesh peer can overrun b[] in mesh_decap()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: wireless
Assignee: wireless@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #239928 text/plain
mime type:
Created attachment 239928
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239928&action=edit
generate an 802.11 mesh packet that causes an overrun of b[] in mesh_decap()
mesh_decap(..., int hdrlen, ...) says:
uint8_t b[sizeof(struct ieee80211_qosframe_addr4) +
sizeof(struct ieee80211_meshcntl_ae10)];
...;
memcpy(b, mtod(m, caddr_t), hdrlen);
sizeof(b) is 50.
However, the hdrlen that mesh_input() passes to mesh_decap() can be as
large as 56, so memcpy() overruns b[]. This happens if the packet's
"ae" here in mesh_input() is 3:
mc = (const struct ieee80211_meshcntl *)
(mtod(m, const uint8_t *) + hdrspace);
ae = mc->mc_flags & IEEE80211_MESH_AE_MASK;
meshdrlen = sizeof(struct ieee80211_meshcntl) +
ae * IEEE80211_ADDR_LEN;
hdrspace += meshdrlen;
I've attached a demo:
# cc wtap18a.c
# ./a.out
...
panic: stack overflow detected; backtrace may be corrupted
panic() at panic+0x2a
__stack_chk_fail() at __stack_chk_fail+0x14
mesh_decap() at mesh_decap+0x354
mesh_input() at mesh_input+0x770
.LBB2_17() at .LBB2_17+0x34
taskqueue_run_locked() at taskqueue_run_locked+0x96
taskqueue_thread_loop() at taskqueue_thread_loop+0x62
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa
--
You are receiving this mail because:
You are the assignee for the bug.