CVE-2023-4263: Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 driver

Summary

I spotted a potential buffer overflow vulnerability at the following location in the Zephyr IEEE 802.15.4 driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ieee802154/ieee802154_nrf5.c#L583

Details

Potential buffer overflow in drivers/ieee802154/ieee802154_nrf5.c:

static int nrf5_tx(const struct device *dev, enum ieee802154_tx_mode mode, struct net_pkt *pkt, struct net_buf *frag) { struct nrf5_802154_data *nrf5_radio = NRF5_802154_DATA(dev); uint8_t payload_len = frag->len; uint8_t *payload = frag->data; bool ret = true;

LOG\_DBG("%p (%u)", payload, payload\_len);

nrf5\_radio\->tx\_psdu\[0\] \= payload\_len + NRF5\_FCS\_LENGTH;
memcpy(nrf5\_radio\->tx\_psdu + 1, payload, payload\_len); /\* VULN: stack-based buffer overflow due to unchecked payload\_len \*/

/\* Reset semaphore in case ACK was received after timeout \*/
k\_sem\_reset(&nrf5\_radio\->tx\_wait);

…

PoC

I haven’t tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

Impact

If the unchecked input above is attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution.

Patches

This has been fixed in:

• main (v3.5 development cycle) #60528
• 3.4 #61384
• 2.7 #61216