[Bug 286446] net80211: Insufficient length verification with TIM information element

bugzilla-noreply Tue, 29 Apr 2025 08:21:05 -0700

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286446


            Bug ID: 286446
           Summary: net80211: Insufficient length verification with TIM
                    information element
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: wireless
          Assignee: [email protected]
          Reporter: [email protected]

I am reporting a likely harmless out-of-bounds read in net80211. When
information elements are parsed in ieee80211_parse_beacon, some are not checked
for length, so I can put a zero length IE for TIM at the end of the IE list. An
example can be found here:

https://github.com/freebsd/freebsd-src/blob/main/sys/net80211/ieee80211_input.c#L601

It is then used here:

https://github.com/freebsd/freebsd-src/blob/e85eb4c8d7bd8051c351a6fc6982a8b3bcfdbb2d/sys/net80211/ieee80211_sta.c#L1558

The fields in the ieee80211_tim_ie object can all be read out-of-bounds from
the input mbuf, although this is unlikely to disclose much information since it
only affects whether the VAP is woken up from SLEEP state.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 286446] net80211: Insufficient length verification with TIM information element

Reply via email to