Summary
I spotted two instances of user input with unchecked length at the following locations in the Zephyr WiFi shell module source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi_shell.c
Details
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c:
static int __wifi_args_to_params(size_t argc, char *argv[],
struct wifi_connect_req_params *params)
{
char *endptr;
int idx = 1;
if (argc < 1) {
return -EINVAL;
}
/* SSID */
params->ssid = argv[0]; /* VULN: unchecked length (should be max 32) */
params->ssid_length = strlen(params->ssid);
/* Channel (optional) */
if ((idx < argc) && (strlen(argv[idx]) <= 3)) {
...
/* PSK (optional) */
if (idx < argc) {
params->psk = argv[idx]; /* VULN: unchecked length (should be min 8, max 64) */
params->psk_length = strlen(argv[idx]);
/* Defaults */
params->security = WIFI_SECURITY_TYPE_PSK;
params->mfp = WIFI_MFP_OPTIONAL;
idx++;
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
The unchecked inputs may cause buffer overflows in other locations, the impact of which could range from denial of service to arbitrary code execution.
Patches
This has been fixed in:
Summary
I spotted two instances of user input with unchecked length at the following locations in the Zephyr WiFi shell module source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi_shell.c
Details
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c:
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
The unchecked inputs may cause buffer overflows in other locations, the impact of which could range from denial of service to arbitrary code execution.
Patches
This has been fixed in: