Switch System Flaws: Difference between revisions
| Line 1,124: | Line 1,124: | ||
| | | | ||
| | | | ||
|- | |||
| nn::pia::transport::UnreliableProtocol::Dispatch buffer overflow | |||
| <code>nn::pia::transport::UnreliableProtocol::Dispatch</code> memcpys data from the message into a list entry, without size validation. If the pia packet is the max size, it will only overwrite the 0xC-bytes which were written to immediately before the memcpy: the u32 size and the 8-byte StationAddress (depending on the version there can also be 4-byte padding after the size for alignment). | |||
However, nn::pia::transport::UnreliableProtocol::Receive will clamp the size from the list entry to the outbuf size when doing the memcpy. So this is probably useless. | |||
It's unknown whether there's a version where more data could be overwritten, and whether that would be useful. | |||
This is fixed in v5.31.0, exact version unknown. The message is dropped if too large in Dispatch. | |||
| Small buffer overflow triggered by a Pia UnreliableProtocol message. | |||
| v5.31.0, exact version unknown. | |||
| v5.18.98/v5.31.0 | |||
| November 2022 | |||
| November 29, 2022 | |||
| [[User:Yellows8|yellows8]] | |||
|} | |} | ||