
Broadcom: Stack buffer overflow when parsing CCKM reassociation response - 0x0
https://bugs.chromium.org/p/project-zero/issues/detail?id=1051
======
0x0
I'm wondering if this is the bug referenced in iOS 10.3.1 -
[https://support.apple.com/en-us/HT207688](https://support.apple.com/en-
us/HT207688)

I also wonder if this affects MacBooks? Some of them, at the very least, ship
with "Card: AirPort Extreme, Firmware version: Broadcom BCM43xx" according to
System Information.

Edit: Also, speculating on the impact. Is it possible that an attacker can
construct a device that can spam unauthenticated wifi frames that will be
interpreted by devices in the pockets of passersby, triggering a buffer
overflow, gaining RCE in the wifi chip, and then use DMA or somesuch to read
out all main system memory, or maybe even write an RCE shellcode to the main
operating system? Sounds pretty deadly if your device can get rooted
automatically just by being nearby another device. Glad this was found by
Google Project Zero and responsibly disclosed, hopefully the bad guys haven't
found anything similar :O :)

