Vigil@nce: Linux kernel, denial of service via Broadcom 43xx
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the kernel uses the b43 network driver, an attacker can use
large Wi-Fi frames, in order to create a denial of service.
– Severity: 2/4
– Creation date: 14/09/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The b43 driver of the Linux kernel implements the support of
wireless network devices of the family Broadcom 43xx.
The dma_rx() function of file drivers/net/wireless/b43/dma.c
stores received data in a SKB (Socket Kernel Buffer), by using
skb_put().
When Wi-Fi frames are too large, they are stored in several
reception buffers. The dma_rx() function ignores this case by
rejecting these data. However, the detection logic for this case
is invalid, so an error occurs in skb_put().
When the kernel uses the b43 network driver, an attacker can
therefore use large Wi-Fi frames, in order to create a denial of
service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-Broadcom-43xx-10993