There are integer overflows leading to heap-based buffer overflows in the message processing in InfraStack/OSAgnostic/Product/AppSrvInfra/L5SocketsDispatcher.c. For example, in function l5_sockets_dispatcher_HandleRequestMessage,
there is this code:
pMessageCopy = OSAL_alloc( sizeof(tL5Message) + pReceivedMessage->dwSentBufferSize );
memcpy( pMessageCopy, pReceivedMessage, sizeof(tL5Message) + pReceivedMessage->dwSentBufferSize );
According to a comment in InfraStack/OSAgnostic/Common/L5Common/L5Common.h, the dwSentBufferSize value comes from the wire.
In InfraStack/OSAgnostic/Product/PipeHandler/L5Connector.c, functions PIPE_HANDLER_SendReceiveL5, l5_connector_HandleRequestMessage seem to have a similar problem. Furthermore, endianess conversion is missing.
Three cases of integer overflow, leading to heap-based buffer overflow flaw, were found in the way socket dispatcher and connector modules for L5 connections of WiMAX, an user space daemon for the Intel 2400m Wireless WiMAX link, used to handle certain payload data units (PDUs) for L5 connections. A remote attacker could issue a connection request with specially-crafted PDU value that, when processed would lead to socket dispatcher / connector module crash or, potentially, arbitrary code execution with the privileges of the user running these modules.
This issue was found by Florian Weimer of Red Hat Product Security Team.
Created wimax tracking bugs for this issue:
Affects: fedora-all [bug 995160]
The CVE identifier of CVE-2013-4219 has been assigned to this issue:
Only Fedora 19 shipped the wimax packages, and it is now EOL.