Changes

222 bytes added ,  21:30, 20 November 2022
Line 1,057: Line 1,057:  
| <code><nn::pia::session::SessionProtocol::ParseLeaveMeshInvitation(nn::pia::transport::ReceivedMessageAccessor const&)></code> This immediately returns if *(ReceivedMessageAccessor+16) is 0. Then the input data is deserialized. The input u64 array is deserialized to stack, the u8 arraycount field from input is not validated.
 
| <code><nn::pia::session::SessionProtocol::ParseLeaveMeshInvitation(nn::pia::transport::ReceivedMessageAccessor const&)></code> This immediately returns if *(ReceivedMessageAccessor+16) is 0. Then the input data is deserialized. The input u64 array is deserialized to stack, the u8 arraycount field from input is not validated.
   −
Hence, stack buffer overlow. Note that there's similar loop code in nearby funcs, which do validate the count properly.
+
Hence, stack buffer overflow. Note that there's similar loop code in nearby funcs, which do validate the count properly.
   −
In fixed versions the arraycount field is now validated.
+
In fixed versions the arraycount field is now validated. However it seems at some point this fix was reverted, in v5.11.3 (exact starting version unknown) the check isn't present, while in v5.18.98 it is present (exact starting version unknown).
 
| Stack buffer overflow triggered by a Pia SessionProtocol message.
 
| Stack buffer overflow triggered by a Pia SessionProtocol message.
| v5.9.3
+
| v5.9.3, reverted and fixed again later
 
| v5.9.1/v5.9.2/v5.9.3
 
| v5.9.1/v5.9.2/v5.9.3
 
| November 14, 2022
 
| November 14, 2022