trx_frame_read(frame_ptr, LENGTH_FIELD_LEN + phy_frame_len +
LQI_LEN);
receive_frame->mpdu = frame_ptr;
/* Add ED value at the end of the frame buffer. */
receive_frame->mpdu[phy_frame_len + LQI_LEN + ED_VAL_LEN] = ed_value;
The mpdu content is later parsed here, the first 32 bits is considered as length of the frame without any restriction. This makes frame_ptr accessing oob memory, causing data corruption, DoS and potientially RCE.
As all (or almost every) versions in thirdparty/wireless/avr2025_mac/source/tal/ can have the same issue, the best way to fix this might be adding length check in right before actually using the length at here.
Description
In handle_received_frame_irq, it reads mpdu content from MMIO
The mpdu content is later parsed here, the first 32 bits is considered as length of the frame without any restriction. This makes
frame_ptraccessing oob memory, causing data corruption, DoS and potientially RCE.Fix
As all (or almost every) versions in
thirdparty/wireless/avr2025_mac/source/tal/can have the same issue, the best way to fix this might be adding length check in right before actually using the length at here.This is discoverd by XinDistince and xdchase.