Created attachment 180244 [details] patch to detect bad length value in WPE IE attribute Thanks to Takashi Inoue at Nihon U for his efforts in debugging this. Some APs broadcast WPS IE frames with totally broken data. Ifconfig's printwpsie() loops through WPS frames printing the attributes out; if the frame's data is bad, printwpsie() can end up looking at out-of-bounds addresses causing ifconfig to bus error. This is an example of a bad WPS IE frame received... ielen=41, len=39 printwpsie() ie[0]=0xdd printwpsie() ie[1]=0x27 printwpsie() ie[2]=0x0 printwpsie() ie[3]=0x50 printwpsie() ie[4]=0xf2 printwpsie() ie[5]=0x4 printwpsie() ie[6]=0x10 <- id[0] printwpsie() ie[7]=0x4a <- id[1], id=0x104a VERSION printwpsie() ie[8]=0x4a <- len[0], broken should be 0 printwpsie() ie[9]=0x1 <- len[1] printwpsie() ie[10]=0x10 printwpsie() ie[11]=0x1 <- id[0] printwpsie() ie[12]=0x10 <- id[1], broken 0x0110 is not a valid ID value printwpsie() ie[13]=0x0 printwpsie() ie[14]=0x1 printwpsie() ie[15]=0x2 printwpsie() ie[16]=0x10 printwpsie() ie[17]=0x47 printwpsie() ie[18]=0x0 printwpsie() ie[19]=0x10 printwpsie() ie[20]=0xe5 printwpsie() ie[21]=0x85 printwpsie() ie[22]=0xf2 printwpsie() ie[23]=0xf8 printwpsie() ie[24]=0xf8 printwpsie() ie[25]=0x9a printwpsie() ie[26]=0x11 printwpsie() ie[27]=0x9a printwpsie() ie[28]=0x11 printwpsie() ie[29]=0x3b printwpsie() ie[30]=0x4b printwpsie() ie[31]=0x3b printwpsie() ie[32]=0x4b printwpsie() ie[33]=0x10 printwpsie() ie[34]=0xc3 printwpsie() ie[35]=0x10 printwpsie() ie[36]=0xc3 printwpsie() ie[37]=0x3c printwpsie() ie[38]=0x0 printwpsie() ie[39]=0x3c printwpsie() ie[40]=0x3c We do not currently have the manufacturer/model number of the offending device. We are attempting to get it and will post back here if/when we do. The attached patch to src/sbin/ifconfig/ifieee80211.c detects an invalid attribute length and aborts the loop, thereby handling the bad frame properly. This also affects 11.0 and probably 10.0 too, please MFC.
A commit references this bug: Author: adrian Date: Thu Feb 23 20:49:17 UTC 2017 New revision: 314181 URL: https://svnweb.freebsd.org/changeset/base/314181 Log: [ifconfig] handle illegal WPS frames Some APs broadcast WPS IE frames with totally broken data. Ifconfig's printwpsie() loops through WPS frames printing the attributes out; if the frame's data is bad, printwpsie() can end up looking at out-of-bounds addresses causing ifconfig to bus error. Thanks to Takashi Inoue at Nihon U for his efforts in debugging this. PR: bin/217312 Submitted by: fbsd@opal.com MFC after: 1 week Changes: head/sbin/ifconfig/ifieee80211.c
For completeness, the device generating the offending WPS IE frame is a Buffalo WZR-HP-AG300H.
A commit references this bug: Author: eadler Date: Mon Mar 5 07:14:56 UTC 2018 New revision: 330448 URL: https://svnweb.freebsd.org/changeset/base/330448 Log: MFC r314181: [ifconfig] handle illegal WPS frames Some APs broadcast WPS IE frames with totally broken data. Ifconfig's printwpsie() loops through WPS frames printing the attributes out; if the frame's data is bad, printwpsie() can end up looking at out-of-bounds addresses causing ifconfig to bus error. Thanks to Takashi Inoue at Nihon U for his efforts in debugging this. PR: bin/217312 Changes: _U stable/11/ stable/11/sbin/ifconfig/ifieee80211.c