Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver

Summary

I spotted two buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code:
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_core.c
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/wifi/eswifi/eswifi_shell.c

Details

Off-by-one buffer overflow in /drivers/wifi/eswifi/eswifi_core.c:

int eswifi_mgmt_iface_status(const struct device *dev,
			     struct wifi_iface_status *status)
{
	struct eswifi_dev *eswifi = dev->data;
	struct eswifi_sta *sta = &eswifi->sta;

	/* Update status */
	eswifi_status_work(&eswifi->status_work.work);

	if (!sta->connected) {
		status->state = WIFI_STATE_DISCONNECTED;
		return 0;
	}

	status->state = WIFI_STATE_COMPLETED;
	strcpy(status->ssid, sta->ssid); /* VULN: off-by-one (sta->ssid[33] copied over status->ssid[32]) */ 
	status->ssid_len = strlen(sta->ssid);
	status->band = WIFI_FREQ_BAND_2_4_GHZ;
	status->channel = 0;
...

Static buffer overflow in /drivers/wifi/eswifi/eswifi_shell.c:

static int eswifi_shell_atcmd(const struct shell *sh, size_t argc,
			      char **argv)
{
	int i;

	if (eswifi == NULL) {
		shell_print(sh, "no eswifi device registered");
		return -ENOEXEC;
	}

	if (argc < 2) {
		shell_help(sh);
		return -ENOEXEC;
	}

	eswifi_lock(eswifi);

	memset(eswifi->buf, 0, sizeof(eswifi->buf));
	for (i = 1; i < argc; i++) {
		strcat(eswifi->buf, argv[i]); /* VULN: static buffer overflow */
	}
	strcat(eswifi->buf, "\r");

	shell_print(sh, "> %s", eswifi->buf);
	eswifi_at_cmd(eswifi, eswifi->buf);
	shell_print(sh, "< %s", eswifi->buf);

	eswifi_unlock(eswifi);

	return 0;
}

PoC

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

Impact

If the unchecked inputs above are attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution.

Patches

This has been fixed in:

main (v3.5 development cycle) #63074 #63750

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Patches

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Off-by-one Error

Credits