[Bug 286446] net80211: Insufficient length verification with TIM information element

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286446] net80211: Insufficient length verification with TIM information element"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286446] net80211: Insufficient length verification of TIM information element"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286446] net80211: Insufficient length verification of TIM information element"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 29 Apr 2025 15:20:38 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286446

            Bug ID: 286446
           Summary: net80211: Insufficient length verification with TIM
                    information element
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: wireless
          Assignee: wireless@FreeBSD.org
          Reporter: yichen.chai@gmail.com

I am reporting a likely harmless out-of-bounds read in net80211. When
information elements are parsed in ieee80211_parse_beacon, some are not checked
for length, so I can put a zero length IE for TIM at the end of the IE list. An
example can be found here:

https://github.com/freebsd/freebsd-src/blob/main/sys/net80211/ieee80211_input.c#L601

It is then used here:

https://github.com/freebsd/freebsd-src/blob/e85eb4c8d7bd8051c351a6fc6982a8b3bcfdbb2d/sys/net80211/ieee80211_sta.c#L1558

The fields in the ieee80211_tim_ie object can all be read out-of-bounds from
the input mbuf, although this is unlikely to disclose much information since it
only affects whether the VAP is woken up from SLEEP state.

-- 
You are receiving this mail because:
You are the assignee for the bug.