Summary
I spotted two buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_core.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_shell.c
Details
Off-by-one buffer overflow in /drivers/wifi/eswifi/eswifi_core.c:
int eswifi_mgmt_iface_status(const struct device *dev,
struct wifi_iface_status *status)
{
struct eswifi_dev *eswifi = dev->data;
struct eswifi_sta *sta = &eswifi->sta;
/* Update status */
eswifi_status_work(&eswifi->status_work.work);
if (!sta->connected) {
status->state = WIFI_STATE_DISCONNECTED;
return 0;
}
status->state = WIFI_STATE_COMPLETED;
strcpy(status->ssid, sta->ssid); /* VULN: off-by-one (sta->ssid[33] copied over status->ssid[32]) */
status->ssid_len = strlen(sta->ssid);
status->band = WIFI_FREQ_BAND_2_4_GHZ;
status->channel = 0;
...
Static buffer overflow in /drivers/wifi/eswifi/eswifi_shell.c:
static int eswifi_shell_atcmd(const struct shell *sh, size_t argc,
char **argv)
{
int i;
if (eswifi == NULL) {
shell_print(sh, "no eswifi device registered");
return -ENOEXEC;
}
if (argc < 2) {
shell_help(sh);
return -ENOEXEC;
}
eswifi_lock(eswifi);
memset(eswifi->buf, 0, sizeof(eswifi->buf));
for (i = 1; i < argc; i++) {
strcat(eswifi->buf, argv[i]); /* VULN: static buffer overflow */
}
strcat(eswifi->buf, "\r");
shell_print(sh, "> %s", eswifi->buf);
eswifi_at_cmd(eswifi, eswifi->buf);
shell_print(sh, "< %s", eswifi->buf);
eswifi_unlock(eswifi);
return 0;
}
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.
Patches
This has been fixed in:
Summary
I spotted two buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_core.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_shell.c
Details
Off-by-one buffer overflow in /drivers/wifi/eswifi/eswifi_core.c:
Static buffer overflow in /drivers/wifi/eswifi/eswifi_shell.c:
PoC
I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.
Impact
If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.
Patches
This has been fixed in: