4,563
edits
Changes
→System Modules
! Discovered by
! Discovered by
|-
|-
| [[Bluetooth_Driver_services|bluetooth]] gatt_process_notification stack buffer overflow
| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
These were fixed by adding a bounds check for the size, size==0 is also checked for now.
These were fixed by adding a bounds check for the size, size==0 is also checked for now.