Switch System Flaws: Difference between revisions

Line 1,269:

| nn::pia::session::RelayRouteManageJob::UpdateConnectionReport() checks that the input size is at least {value}, but there's no max size check. This is used to memcpy from the input to elsewhere - hence buf-overflow if size is too large. The dst buffer is allocated on the pead heap - this buffer is probably small.

Note that there's various requirements before it would actually reach the memcpy, such as <code><nn::pia::session::Mesh::IsHost() const></code> must return true.

This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().

ParseConnectionReport uses a state ptr for object nn::pia::session::RelayRouteManageJob, it will return if not set. nn::pia::session::Mesh::Initialize handles setup for this, depending on an input field from nn::pia::session::Mesh::Setting. These settings originate from <code><nn::pia::session::Session::CreateInstance(nn::pia::session::Session::Setting const&)></code>, which is called by user-code with the needed settings.

ParseConnectionReport is therefore only usable if the game explicitly enables the Relay functionality.

In fixed versions immediately after the StationIndex validation it now does: <code>if(statefield+0x10<input_size) return;</code>

~~This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().~~

| Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.

| v5.9.3, see above.

@@ Line 1,269: / Line 1,269: @@
 | nn::pia::session::RelayRouteManageJob::UpdateConnectionReport() checks that the input size is at least {value}, but there's no max size check. This is used to memcpy from the input to elsewhere - hence buf-overflow if size is too large. The dst buffer is allocated on the pead heap - this buffer is probably small.
 Note that there's various requirements before it would actually reach the memcpy, such as <code><nn::pia::session::Mesh::IsHost() const></code> must return true.
+This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
+ParseConnectionReport uses a state ptr for object nn::pia::session::RelayRouteManageJob, it will return if not set. nn::pia::session::Mesh::Initialize handles setup for this, depending on an input field from nn::pia::session::Mesh::Setting. These settings originate from <code><nn::pia::session::Session::CreateInstance(nn::pia::session::Session::Setting const&)></code>, which is called by user-code with the needed settings.
+ParseConnectionReport is therefore only usable if the game explicitly enables the Relay functionality.
 In fixed versions immediately after the StationIndex validation it now does: <code>if(statefield+0x10<input_size) return;</code>
-This is called from nn::pia::session::MeshProtocol::ParseConnectionReport().
 | Heap buffer overflow triggered by a Pia MeshProtocol message sent to a host device.
 | v5.9.3, see above.