core: rtw_ieee80211: guard attr_len underflow in rtw_get_wfd_attr_content#63
Closed
breakneck-git wants to merge 1 commit into
Closed
core: rtw_ieee80211: guard attr_len underflow in rtw_get_wfd_attr_content#63breakneck-git wants to merge 1 commit into
breakneck-git wants to merge 1 commit into
Conversation
…tent
This is the same class of bug as the one already addressed in
rtw_get_p2p_attr_content() in this file: a malformed WFD attribute
whose length field is in the range 0xFFFD..0xFFFF causes the parser's
u16 (attr_data_len + 3) to wrap to {0,1,2}. The bounds check in
rtw_get_wfd_attr() catches "too large", not "wrapped".
When attr_len < 3 reaches the callee, (attr_len - 3) underflows in
u32 to a near-INT_MAX value, and _rtw_memcpy(buf_content, attr_ptr+3,
underflowed) copies that many bytes into buf_content, which several
callers pass as a fixed-size stack buffer.
The neighbouring rtw_get_p2p_attr_content() in the same file already
uses a different bounds-safe pattern (caller pre-populates *len_content
with sizeof(buf), function clamps to that). This WFD variant was
apparently missed in that hardening pass, so this patch applies the
minimal "attr_len >= 3" guard here.
A wider hardening pass on rtw_get_wfd_attr_content() to mirror the
P2P pattern (caller-supplied bounds) would also be valid -- happy to
do that as a follow-up if maintainers prefer.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Guards against an integer underflow in
rtw_get_wfd_attr_content()that, on a malformed Wi-Fi-Display attribute, leads to_rtw_memcpy()writing a near-INT_MAX number of bytes into a kernel stack buffer.Why only WFD here
This fork's
rtw_get_p2p_attr_content()(same file, just above) already uses a bounds-safe pattern — callers pre-populate*len_contentwithsizeof(buf)and the function clamps the copy to that hint. Whoever did that hardening pass apparently missedrtw_get_wfd_attr_content()right below it; this PR addresses just the missed variant.The same class of bug was also submitted to:
Root cause
attr_lencarries the 3-byte WFD attribute header. The parser computesattr_len = attr_data_len + 3with both operandsu16. Whenattr_data_len >= 0xFFFD(attacker-controlled length field in frame), the addition wraps inu16to{0, 1, 2}. The parser's bounds check only catchesattr_len > wfd_ielen, not the wrap.When
attr_len < 3reaches the callee,attr_len - 3underflows inu32to a near-INT_MAX value, and_rtw_memcpy(buf_content, attr_ptr + 3, ~0xFFFFFFFE)runs.Fix
Replace
attr_lentruthiness check withattr_len >= 3(the documented minimum). When the parser returns underflowedattr_len < 3, the callee now returns NULL with*len_content == 0, matching the documented "attribute not found" return path that all callers already handle.A follow-up to mirror the P2P pattern (caller-supplied bounds via
*len_content) here would also be valid — happy to do it as a separate PR if you prefer.Test environment
0bda:0811) on Raspberry Pi 2B, kernel 6.12.47Disclosure
This patch is the result of a code-review pass conducted with the help of an LLM (Claude). The reasoning, exploit chain, and fix were verified by reading the relevant source paths exhaustively before submission. I am not a kernel engineer; please flag anything I missed.