Bug 911129 (CVE-2013-4219)

Summary: CVE-2013-4219 wimax: Three integer overflows, leading to heap-based buffer overflows when handling PDUs for L5 connections
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED EOL QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, dcbw, jlieskov, jrusnack, rkhan
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20130808,reported=20130214,source=redhat,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,fedora-all/wimax=affected,cwe=CWE-190->CWE-122
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-17 11:48:48 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 995160    
Bug Blocks: 909233    

Description Florian Weimer 2013-02-14 07:53:40 EST
There are integer overflows leading to heap-based buffer overflows in the message processing in InfraStack/OSAgnostic/Product/AppSrvInfra/L5SocketsDispatcher.c.  For example, in function l5_sockets_dispatcher_HandleRequestMessage,
there is this code:

   pMessageCopy = OSAL_alloc(  sizeof(tL5Message) + pReceivedMessage->dwSentBufferSize );
   memcpy( pMessageCopy, pReceivedMessage, sizeof(tL5Message) + pReceivedMessage->dwSentBufferSize );

According to a comment in InfraStack/OSAgnostic/Common/L5Common/L5Common.h, the dwSentBufferSize value comes from the wire.

In InfraStack/OSAgnostic/Product/PipeHandler/L5Connector.c, functions PIPE_HANDLER_SendReceiveL5, l5_connector_HandleRequestMessage seem to have a similar problem.  Furthermore, endianess conversion is missing.
Comment 5 Jan Lieskovsky 2013-08-08 12:08:39 EDT
Three cases of integer overflow, leading to heap-based buffer overflow flaw, were found in the way socket dispatcher and connector modules for L5 connections of WiMAX, an user space daemon for the Intel 2400m Wireless WiMAX link, used to handle certain payload data units (PDUs) for L5 connections. A remote attacker could issue a connection request with specially-crafted PDU value that, when processed would lead to socket dispatcher / connector module crash or, potentially, arbitrary code execution with the privileges of the user running these modules.
Comment 6 Jan Lieskovsky 2013-08-08 12:45:42 EDT

This issue was found by Florian Weimer of Red Hat Product Security Team.
Comment 7 Jan Lieskovsky 2013-08-08 12:48:57 EDT
Created wimax tracking bugs for this issue:

Affects: fedora-all [bug 995160]
Comment 8 Jan Lieskovsky 2013-08-08 12:57:17 EDT
CVE Request:
Comment 9 Jan Lieskovsky 2013-08-09 03:23:21 EDT
The CVE identifier of CVE-2013-4219 has been assigned to this issue:
Comment 10 Florian Weimer 2015-02-17 11:48:48 EST
Only Fedora 19 shipped the wimax packages, and it is now EOL.