Headline
CVE-2022-40279: Security: Malfunction in function l2_packet_receive_timeout() · Issue #5629 · Samsung/TizenRT
An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). l2_packet_receive_timeout in wpa_supplicant/src/l2_packet/l2_packet_pcap.c has a missing check on the return value of pcap_dispatch, leading to a denial of service (malfunction).
Affected components
affected source code file: external/wpa_supplicant/src/l2_packet/l2_packet_pcap.c
Attack vector(s)
Lacking a check for the return value of pcap_dispatch.
pcap_dispatch() returns the number of packets processed on success; this can be 0 if no packets were read from a live capture (if, for example, they were discarded because they didn’t pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a ‘’savefile.’’ It returns -1 if an error occurs or -2 if the loop terminated due to a call to pcap_breakloop() before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for -1 and -2, rather than just checking for a return value < 0.
Suggested description of the vulnerability for use in the CVE
Malfunction vulnerability in l2_packet_receive_timeout() function in Samsung Electronics TizenRT latest version (and earlier) due to missing a check on the return value of pcap_dispatch().
Discoverer(s)/Credits
UVScan
Reference(s)
https://linux.die.net/man/3/pcap_dispatch
pcap_dispatch(pcap, 10, l2_packet_receive_cb, (u_char *)l2);