Bug 911129 (CVE-2013-4219) - CVE-2013-4219 wimax: Three integer overflows, leading to heap-based buffer overflows when handling PDUs for L5 connections
Summary: CVE-2013-4219 wimax: Three integer overflows, leading to heap-based buffer ov...
Keywords:
Status: CLOSED EOL
Alias: CVE-2013-4219
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 995160
Blocks: 909233
TreeView+ depends on / blocked
 
Reported: 2013-02-14 12:53 UTC by Florian Weimer
Modified: 2019-09-29 13:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-17 16:48:48 UTC


Attachments (Terms of Use)

Description Florian Weimer 2013-02-14 12:53:40 UTC
There are integer overflows leading to heap-based buffer overflows in the message processing in InfraStack/OSAgnostic/Product/AppSrvInfra/L5SocketsDispatcher.c.  For example, in function l5_sockets_dispatcher_HandleRequestMessage,
there is this code:

   pMessageCopy = OSAL_alloc(  sizeof(tL5Message) + pReceivedMessage->dwSentBufferSize );
   ...
   memcpy( pMessageCopy, pReceivedMessage, sizeof(tL5Message) + pReceivedMessage->dwSentBufferSize );

According to a comment in InfraStack/OSAgnostic/Common/L5Common/L5Common.h, the dwSentBufferSize value comes from the wire.

In InfraStack/OSAgnostic/Product/PipeHandler/L5Connector.c, functions PIPE_HANDLER_SendReceiveL5, l5_connector_HandleRequestMessage seem to have a similar problem.  Furthermore, endianess conversion is missing.

Comment 5 Jan Lieskovsky 2013-08-08 16:08:39 UTC
Three cases of integer overflow, leading to heap-based buffer overflow flaw, were found in the way socket dispatcher and connector modules for L5 connections of WiMAX, an user space daemon for the Intel 2400m Wireless WiMAX link, used to handle certain payload data units (PDUs) for L5 connections. A remote attacker could issue a connection request with specially-crafted PDU value that, when processed would lead to socket dispatcher / connector module crash or, potentially, arbitrary code execution with the privileges of the user running these modules.

Comment 6 Jan Lieskovsky 2013-08-08 16:45:42 UTC
Acknowledgements:

This issue was found by Florian Weimer of Red Hat Product Security Team.

Comment 7 Jan Lieskovsky 2013-08-08 16:48:57 UTC
Created wimax tracking bugs for this issue:

Affects: fedora-all [bug 995160]

Comment 8 Jan Lieskovsky 2013-08-08 16:57:17 UTC
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/08/08/10

Comment 9 Jan Lieskovsky 2013-08-09 07:23:21 UTC
The CVE identifier of CVE-2013-4219 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/08/08/17

Comment 10 Florian Weimer 2015-02-17 16:48:48 UTC
Only Fedora 19 shipped the wimax packages, and it is now EOL.


Note You need to log in before you can comment on or make changes to this bug.