[Bug 270649] hostapd and wpa_supplicant use uninitialized ptr if interface disappears

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 05 Apr 2023 10:31:24 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270649

            Bug ID: 270649
           Summary: hostapd and wpa_supplicant use uninitialized ptr if
                    interface disappears
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

l2_packet_receive() in contrib/wpa/src/l2_packet/l2_packet_freebsd.c:

        const u_char *packet;

        if (pcap_next_ex(pcap, &hdr, &packet) == -1) {
                wpa_printf(MSG_ERROR, "Error reading packet, has device
disappeared?");
                eloop_terminate();
        }

        if (!l2->rx_callback || !packet || hdr->caplen < sizeof(*ethhdr))
                return;

        ethhdr = (struct l2_ethhdr *) packet;
        l2->rx_callback(l2->rx_callback_ctx, ethhdr->h_source, buf, len);

Since packet is not initialized, and pcap_next_ex() doesn't set packet
if there's an error, packet can be left containing non-NULL garbage,
which l2->rx_callback() tries to use. This happens if the wlanX
interface is shut down with ifconfig destroy.

Here's a backtrace:

#0  ap_get_sta (hapd=0x412026b0, sta=0xc32fe8354dfa3e76 <error: Cannot access
memory at address 0xc32fe8354dfa3e76>)
    at /usr/rtm/symbsd/src/contrib/wpa/src/ap/sta_info.c:73
#1  0x000000000015eca0 in hostapd_event_eapol_rx (hapd=0x412026b0,
src=0xc32fe8354dfa3e76 <error: Cannot access memory at address
0xc32fe8354dfa3e76>, 
    data=0xc32fe8354dfa3e7e <error: Cannot access memory at address
0xc32fe8354dfa3e7e>, data_len=224) at
/usr/rtm/symbsd/src/contrib/wpa/src/ap/drv_callbacks.c:1541
#2  wpa_supplicant_event (ctx=0x412026b0, event=<optimized out>,
data=<optimized out>) at
/usr/rtm/symbsd/src/contrib/wpa/src/ap/drv_callbacks.c:1938
#3  0x0000000000156850 in drv_event_eapol_rx (ctx=0x412026b0, src=<optimized
out>, data=<optimized out>, data_len=<optimized out>)
    at /usr/rtm/symbsd/src/contrib/wpa/src/drivers/driver.h:6085
#4  handle_read (ctx=<optimized out>, src_addr=0xc32fe8354dfa3e76 <error:
Cannot access memory at address 0xc32fe8354dfa3e76>, 
    buf=0xc32fe8354dfa3e7e <error: Cannot access memory at address
0xc32fe8354dfa3e7e>, len=224) at
/usr/rtm/symbsd/src/contrib/wpa/src/drivers/driver_bsd.c:1028
#5  0x0000000000180b78 in l2_packet_receive (sock=<optimized out>,
eloop_ctx=0x41203410, sock_ctx=<optimized out>)
    at /usr/rtm/symbsd/src/contrib/wpa/src/l2_packet/l2_packet_freebsd.c:102
#6  0x00000000001bace6 in eloop_sock_table_dispatch (fds=0x41209260,
table=<optimized out>) at /usr/rtm/symbsd/src/contrib/wpa/src/utils/eloop.c:603
#7  eloop_run () at /usr/rtm/symbsd/src/contrib/wpa/src/utils/eloop.c:1233
#8  0x000000000015784e in hostapd_global_run (ifaces=<optimized out>,
daemonize=<optimized out>, pid_file=<optimized out>)
    at /usr/rtm/symbsd/src/contrib/wpa/hostapd/main.c:445
#9  0x000000000015740a in main (argc=<optimized out>, argv=0x3fffffeb50) at
/usr/rtm/symbsd/src/contrib/wpa/hostapd/main.c:892

-- 
You are receiving this mail because:
You are the assignee for the bug.