Headline

CVE-2023-4259: Potential buffer overflow vulnerabilities in the Zephyr eS-WiFi driver

Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code.

12 months ago

#vulnerability #dos #git #buffer_overflow #wifi

Summary

I spotted two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_core.c#L493
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_shell.c#L43

Details

Potential off-by-one buffer overflow in /drivers/wifi/eswifi/eswifi_core.c:

int eswifi_mgmt_iface_status(const struct device *dev, struct wifi_iface_status *status) { struct eswifi_dev *eswifi = dev->data; struct eswifi_sta *sta = &eswifi->sta;

/\* Update status \*/
eswifi\_status\_work(&eswifi\->status\_work.work);

if (!sta\->connected) {
    status\->state \= WIFI\_STATE\_DISCONNECTED;
    return 0;
}

status\->state \= WIFI\_STATE\_COMPLETED;
strcpy(status\->ssid, sta\->ssid); /\* VULN: off-by-one (sta->ssid\[33\] copied over status->ssid\[32\]) \*/ 
status\->ssid\_len \= strlen(sta\->ssid);
status\->band \= WIFI\_FREQ\_BAND\_2\_4\_GHZ;
status\->channel \= 0;

…

Potential static buffer overflow in /drivers/wifi/eswifi/eswifi_shell.c:

static int eswifi_shell_atcmd(const struct shell *sh, size_t argc, char **argv) { int i;

if (eswifi \== NULL) {
    shell\_print(sh, "no eswifi device registered");
    return \-ENOEXEC;
}

if (argc < 2) {
    shell\_help(sh);
    return \-ENOEXEC;
}

eswifi\_lock(eswifi);

memset(eswifi\->buf, 0, sizeof(eswifi\->buf));
for (i \= 1; i < argc; i++) {
    strcat(eswifi\->buf, argv\[i\]); /\* VULN: static buffer overflow \*/
}
strcat(eswifi\->buf, "\\r");

shell\_print(sh, "> %s", eswifi\->buf);
eswifi\_at\_cmd(eswifi, eswifi\->buf);
shell\_print(sh, "< %s", eswifi\->buf);

eswifi\_unlock(eswifi);

return 0;

}

PoC

I haven’t tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

Impact

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.