Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver

Summary

I spotted two buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_core.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_shell.c

Details

Off-by-one buffer overflow in /drivers/wifi/eswifi/eswifi_core.c:

int eswifi_mgmt_iface_status(const struct device *dev,
			     struct wifi_iface_status *status)
{
	struct eswifi_dev *eswifi = dev->data;
	struct eswifi_sta *sta = &eswifi->sta;

	/* Update status */
	eswifi_status_work(&eswifi->status_work.work);

	if (!sta->connected) {
		status->state = WIFI_STATE_DISCONNECTED;
		return 0;
	}

	status->state = WIFI_STATE_COMPLETED;
	strcpy(status->ssid, sta->ssid); /* VULN: off-by-one (sta->ssid[33] copied over status->ssid[32]) */ 
	status->ssid_len = strlen(sta->ssid);
	status->band = WIFI_FREQ_BAND_2_4_GHZ;
	status->channel = 0;
...

Static buffer overflow in /drivers/wifi/eswifi/eswifi_shell.c:

static int eswifi_shell_atcmd(const struct shell *sh, size_t argc,
			      char **argv)
{
	int i;

	if (eswifi == NULL) {
		shell_print(sh, "no eswifi device registered");
		return -ENOEXEC;
	}

	if (argc < 2) {
		shell_help(sh);
		return -ENOEXEC;
	}

	eswifi_lock(eswifi);

	memset(eswifi->buf, 0, sizeof(eswifi->buf));
	for (i = 1; i < argc; i++) {
		strcat(eswifi->buf, argv[i]); /* VULN: static buffer overflow */
	}
	strcat(eswifi->buf, "\r");

	shell_print(sh, "> %s", eswifi->buf);
	eswifi_at_cmd(eswifi, eswifi->buf);
	shell_print(sh, "< %s", eswifi->buf);

	eswifi_unlock(eswifi);

	return 0;
}

PoC

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

Impact

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

Patches

This has been fixed in:

main (v3.5 development cycle) #63074 #63750

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Patches

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits