Switch System Flaws: Difference between revisions
| Line 1,062: | Line 1,062: | ||
In fixed versions the arraycount field is now validated. | In fixed versions the arraycount field is now validated. | ||
SessionProtocol uses ReliableSlidingWindow MessageHeader, with a maximum message size of 0x100. The allocated size used for the above u64 array is also 0x100-bytes. Hence, when triggering a buf overflow the data after the buffer is uncontrolled data from the SessionProtocol object. | |||
| Stack buffer overflow triggered by a Pia SessionProtocol message. | | Stack buffer overflow triggered by a Pia SessionProtocol message. | ||
| v5.9.3, see above. | | v5.9.3, see above. | ||
| Line 1,083: | Line 1,085: | ||
| nn::pia::session::JoinMeshJob::SetStationDataList OOB read/write/vfunc-call | | nn::pia::session::JoinMeshJob::SetStationDataList OOB read/write/vfunc-call | ||
| <code>nn::pia::session::JoinMeshJob::SetStationDataList</code>is called by <code>nn::pia::session::MeshProtocol::ParseJoinResponse(nn::pia::transport::ReceivedMessageAccessor const&)></code> with the ReceivedMessageAccessor buffer. | | <code>nn::pia::session::JoinMeshJob::SetStationDataList</code>is called by <code>nn::pia::session::MeshProtocol::ParseJoinResponse(nn::pia::transport::ReceivedMessageAccessor const&)></code> with the ReceivedMessageAccessor buffer. | ||
SetStationDataList will update state and immediately return if the join was denied. It will also validate the num_mesh_stations field against state. | SetStationDataList will update state and immediately return if the join was denied. It will also validate the num_mesh_stations field against state. ParseJoinResponse also essentially verifies that the message was received from the host device. | ||
The input buffer size is ignored. | The input buffer size is ignored. | ||