oss-sec mailing list archives
Re: more info on "radiotap: bitmap-end-finding buffer overrun"
From: Henri Salo <henri () nerv fi>
Date: Sun, 19 Jan 2014 14:48:33 +0200
On Fri, Jan 17, 2014 at 12:50:55PM +0100, Raphael Geissert wrote:
Hi, I was wondering if anyone has more info on the following commit: https://github.com/torvalds/linux/commit/bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 AFAICS it is a different issue than CVE-2013-7027. A web search points to the following Secunia advisory, but not much else: http://secunia.com/community/advisories/56282 (not asking for a CVE at this time) Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Johannes Berg replied: """ It's not important at all in the current code base, let me explain why I think so. The only (current) user of this code is the mac80211 injection code, so you already need permission to create raw sockets, which I believe is usually equivalent to root permissions. With that aside, let's assume you build and manage to send a packet specifically to hit this particular issue. By nature of the issue, this packet must consist solely of a radiotap header, with header extension bitmap and at most 3 bytes of data. The latter is crucial as otherwise the bitmap would just overlap the data and you can't cause the invalid read. Now this means that your packet is really just the size of the fixed radiotap header, plus 3 bytes at most, so at most 11 bytes. Let's also say that the length field in your radiotap header is 8 (the minimum), which doesn't matter for the parser but does for the surrounding code. As a result, the checking code in ieee80211_monitor_start_xmit() will see that there are at least 2 more bytes after the radiotap header, and treat them as the 802.11 frame control field. Regardless of the contents of those two bytes, ieee80211_hdrlen() will return at least 10. Since 10 + 8 (the radiotap length we put into the packet) is far bigger than 11, I believe you can't even trigger the invalid read, since the packet will be dropped as invalid before the real radiotap parser is even initialized (i.e. the previously buggy code invoked.) """ --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- more info on "radiotap: bitmap-end-finding buffer overrun" Raphael Geissert (Jan 17)
- Re: more info on "radiotap: bitmap-end-finding buffer overrun" Henri Salo (Jan 19)