Switch System Flaws: Difference between revisions

Line 547:

! Public disclosure timeframe

! Discovered by

|-

| [[Bluetooth_Driver_services|bluetooth]] gatt_process_notification stack buffer overflow

| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.

These were fixed by adding a bounds check for the size, size==0 is also checked for now.

| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message

| [[13.2.1]]

| November 2021

| January 19, 2022

| [[User:Yellows8|yellows8]]

|-

| [[SSL_services|ssl]] CVE-2021-43527

Line 555:

Line 565:

Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).

| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.

| 13.2.1

| [[13.2.1]]

| 13.2.1

| [[13.2.1]]

| Switch: December 1-2, 2021

| Switch: ~~Janurary~~ 19, 2022

| Switch: January 19, 2022

|

|-

@@ Line 547: / Line 547: @@
 !  Public disclosure timeframe
 !  Discovered by
+|-
+| [[Bluetooth_Driver_services|bluetooth]] gatt_process_notification stack buffer overflow
+| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack.
+These were fixed by adding a bounds check for the size, size==0 is also checked for now.
+| Bluetooth-sysmodule stack buffer overflow, with data received from a bluetooth message
+| [[13.2.1]]
+| [[13.2.1]]
+| November 2021
+| January 19, 2022
+| [[User:Yellows8|yellows8]]
 |-
 | [[SSL_services|ssl]] CVE-2021-43527
@@ Line 555: / Line 565: @@
 Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow).
 | Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr.
-| 13.2.1
+| [[13.2.1]]
-| 13.2.1
+| [[13.2.1]]
 | Switch: December 1-2, 2021
-| Switch: Janurary 19, 2022
+| Switch: January 19, 2022
 |
 |-