You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
trx_frame_read(frame_ptr, LENGTH_FIELD_LEN+phy_frame_len+LQI_LEN);
receive_frame->mpdu=frame_ptr;
/* Add ED value at the end of the frame buffer. */receive_frame->mpdu[phy_frame_len+LQI_LEN+ED_VAL_LEN] =ed_value;
The mpdu content is later parsed here, the first 32 bits is considered as length of the frame without any restriction. This makes frame_ptr accessing oob memory, causing data corruption, DoS and potientially RCE.
As all (or almost every) versions in thirdparty/wireless/avr2025_mac/source/tal/ can have the same issue, the best way to fix this might be adding length check in right before actually using the length at here.
This is discoverd by XinDistince and xdchase.
The text was updated successfully, but these errors were encountered:
Description
In handle_received_frame_irq, it reads mpdu content from MMIO
The mpdu content is later parsed here, the first 32 bits is considered as length of the frame without any restriction. This makes
frame_ptr
accessing oob memory, causing data corruption, DoS and potientially RCE.Fix
As all (or almost every) versions in
thirdparty/wireless/avr2025_mac/source/tal/
can have the same issue, the best way to fix this might be adding length check in right before actually using the length at here.This is discoverd by XinDistince and xdchase.
The text was updated successfully, but these errors were encountered: