Headline
CVE-2023-4257: Unchecked user input length in the Zephyr WiFi shell module
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.
Summary
I spotted two instances of user input with unchecked length at the following locations in the Zephyr WiFi shell module source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi_shell.c#L334-L335
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi_shell.c#L355-L356
Details
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c:
static int __wifi_args_to_params(size_t argc, char *argv[], struct wifi_connect_req_params *params) { char *endptr; int idx = 1;
if (argc < 1) {
return \-EINVAL;
}
/\* SSID \*/
params\->ssid \= argv\[0\]; /\* VULN: unchecked length (should be max 32) \*/
params\->ssid\_length \= strlen(params\->ssid);
/\* Channel (optional) \*/
if ((idx < argc) && (strlen(argv\[idx\]) <= 3)) {
…
/\* PSK (optional) \*/
if (idx < argc) {
params\->psk \= argv\[idx\]; /\* VULN: unchecked length (should be min 8, max 64) \*/
params\->psk\_length \= strlen(argv\[idx\]);
/\* Defaults \*/
params\->security \= WIFI\_SECURITY\_TYPE\_PSK;
params\->mfp \= WIFI\_MFP\_OPTIONAL;
idx++;
PoC
I haven’t tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
The unchecked inputs may cause buffer overflows in other locations, the impact of which could range from denial of service to arbitrary code execution.
Patches
This has been fixed in:
- main (v3.5 development cycle) #60537
- 3.4 #61383
Related news
Zephyr RTOS versions 3.5.0 and below suffer from a multitude of buffer overflow vulnerabilities.