buffer overflow in handle_received_frame_irq

# Description

In [handle_received_frame_irq](https://github.com/avrxml/asf/blob/master/thirdparty/wireless/avr2025_mac/source/tal/at86rf231/src/tal_rx.c#L164), it reads mpdu content from MMIO

```c
trx_frame_read(frame_ptr, LENGTH_FIELD_LEN + phy_frame_len +
			LQI_LEN);
receive_frame->mpdu = frame_ptr;
/* Add ED value at the end of the frame buffer. */
receive_frame->mpdu[phy_frame_len + LQI_LEN + ED_VAL_LEN] = ed_value;
```

The mpdu content is later parsed [here](https://github.com/avrxml/asf/blob/master/thirdparty/wireless/avr2025_mac/source/tal/at86rf231/src/tal_rx.c#L237), the first 32 bits is considered as length of the frame without any restriction. This makes `frame_ptr` accessing oob memory, causing data corruption, DoS and potientially RCE.

```c
frame_len = last_frame_length = receive_frame->mpdu[0];
...
frame_ptr = &(receive_frame->mpdu[frame_len + LQI_LEN]);
lqi = *frame_ptr++;   <-- oob write
ed_level = *frame_ptr;
```

# Fix

As all (or almost every) versions in `thirdparty/wireless/avr2025_mac/source/tal/` can have the same issue, the best way to fix this might be adding length check in right before actually using the length at [here](https://github.com/avrxml/asf/blob/master/thirdparty/wireless/avr2025_mac/source/tal/at86rf231/src/tal_rx.c#L237).

This is discoverd by XinDistince and xdchase.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

buffer overflow in handle_received_frame_irq #11

Description

Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

buffer overflow in handle_received_frame_irq #11

Description

Description

Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions