Redhat Enterprise Linux 6.0 Overflow Vulnerability
A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.
The information has been provided by Pedro Sampaio
The original article can be found at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3846
he problem is inside mwifiex_update_bss_desc_with_ie function in drivers/net/wireless/marvell/mwifiex/scan.c.
When STA connects to AP, mwifiex_update_bss_desc_with_ie function will be called to update bss descriptor.In mwifiex_update_bss_desc_with_ie function, the IEs of beacon packet is parsed. When processing WLAN_EID_SUPP_RATES element,it does not check the length of rates data before calling memcpy,the dst buffer bss_entry->data_rates is a array with size
Remote attacker can build a fakeAP sending malicous beacon packet with long WLAN_EID_SUPP_RATES element(element_len>14)，when victim STA connects to the
fakeAP, will trigger the heap buffer overflow.
- Redhat Enterprise Linux 6.0
- Redhat Enterprise Linux 7.0
- Redhat Enterprise Linux 8.0