Switch System Flaws: Difference between revisions

Line 1,124: Line 1,124:
|  
|  
|  
|  
|-
| nn::pia::transport::UnreliableProtocol::Dispatch buffer overflow
| <code>nn::pia::transport::UnreliableProtocol::Dispatch</code> memcpys data from the message into a list entry, without size validation. If the pia packet is the max size, it will only overwrite the 0xC-bytes which were written to immediately before the memcpy: the u32 size and the 8-byte StationAddress (depending on the version there can also be 4-byte padding after the size for alignment).
However, nn::pia::transport::UnreliableProtocol::Receive will clamp the size from the list entry to the outbuf size when doing the memcpy. So this is probably useless.
It's unknown whether there's a version where more data could be overwritten, and whether that would be useful.
This is fixed in v5.31.0, exact version unknown. The message is dropped if too large in Dispatch.
| Small buffer overflow triggered by a Pia UnreliableProtocol message.
| v5.31.0, exact version unknown.
| v5.18.98/v5.31.0
| November 2022
| November 29, 2022
| [[User:Yellows8|yellows8]]
|}
|}