Security: Malfunction in function l2_packet_receive_timeout()

[UVScan]

Affected components

affected source code file: external/wpa_supplicant/src/l2_packet/l2_packet_pcap.c

Attack vector(s)

Lacking a check for the return value of pcap_dispatch.
pcap_dispatch() returns the number of packets processed on success; this can be 0 if no packets were read from a live capture (if, for example, they were discarded because they didn't pass the packet filter, or if, on platforms that support a read timeout that starts before any packets arrive, the timeout expires before any packets arrive, or if the file descriptor for the capture device is in non-blocking mode and no packets were available to be read) or if no more packets are available in a ''savefile.'' It returns -1 if an error occurs or -2 if the loop terminated due to a call to pcap_breakloop() before any packets were processed. If your application uses pcap_breakloop(), make sure that you explicitly check for -1 and -2, rather than just checking for a return value < 0.

Suggested description of the vulnerability for use in the CVE

Malfunction vulnerability in l2_packet_receive_timeout() function in Samsung Electronics TizenRT latest version (and earlier) due to missing a check on the return value of pcap_dispatch().

Discoverer(s)/Credits

UVScan

Reference(s)

https://linux.die.net/man/3/pcap_dispatch

TizenRT/external/wpa_supplicant/src/l2_packet/l2_packet_pcap.c

Line 181 in f8f776d

pcap_dispatch(pcap, 10, l2_packet_receive_cb, (u_char *)l2);