https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287883
Bug ID: 287883
Summary: if_mtw.c should check sc->ntxchains
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: wireless
Assignee: wireless@FreeBSD.org
Reporter: r...@lcs.mit.edu
If a malicious USB device pretending to be a MediaTek MT7601U
(if_mtw.c) claims more than a few (4?) txchains,
ieee80211_init_suphtrates() can overrun rs_rates[], writing junk into
ic->ic_nchans (and maybe other ic variables). One bad result is that a
large ic_nchans can cause ieee80211_dfs_reset() to write off the end
of ic->ic_channels[] and eventually crash.
mtw_read_eeprom():
mtw_srom_read(sc, MTW_EEPROM_ANTENNA, &val);
sc->ntxchains = (val >> 4) & 0xf;
mtw_attach():
ic->ic_txstream = sc->ntxchains;
ieee80211_init_suphtrates():
#define ADDRATE(x) do { \
htrateset->rs_rates[htrateset->rs_nrates] = x; \
htrateset->rs_nrates++; \
} while (0)
struct ieee80211_htrateset *htrateset = &ic->ic_sup_htrates;
for (i = 0; i < ic->ic_txstream * 8; i++)
ADDRATE(i);
struct ieee80211com {
struct ieee80211_htrateset ic_sup_htrates;
int ic_nchans; /* # entries in ic_channels */
#define IEEE80211_HTRATE_MAXSIZE 77
struct ieee80211_htrateset {
uint8_t rs_nrates;
uint8_t rs_rates[IEEE80211_HTRATE_MAXSIZE];
};
ieee80211_dfs_reset(struct ieee80211com *ic):
for (i = 0; i < ic->ic_nchans; i++)
ic->ic_channels[i].ic_state = 0;
This is analogous to this if_run.c PR:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284694
--
You are receiving this mail because:
You are the assignee for the bug.
