Missing size checks in ieee80211_ioctl_get80211() could lead to stack overflows

cutesmilee cutesmilee.research at protonmail.com
Thu Apr 1 11:45:32 UTC 2021

ieee80211_ioctl_get80211() doesn't check the length provided by the user, and this can lead to out-of-bounds read and write in the stack, which can lead to a denial of service.
this issue is present in the latest FreeBSD sources.
ireq->i_len is a user provided length (it's a uint16_t so can be 65536 at max).
for IEEE80211_IOC_SSID command, in the IEEE80211_S_SCAN or default case an out-of-bounds copy to tmpssid (32 bytes stack buffer) can happen if vap->id_des_ssid[0].len is set to a large value, also an out-of-bounds read from tmpssid will happen due to a copyout() using the same size.
the same thing can happen with IEEE80211_IOC_WEPKEY (just with another user controlled size).

More information about the freebsd-security mailing list