Switch System Flaws: Difference between revisions
| Line 548: | Line 548: | ||
! Discovered by | ! Discovered by | ||
|- | |- | ||
| [[Bluetooth_Driver_services|bluetooth]] gatt_process_notification stack buffer overflow | | [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow | ||
| gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack. | | gatt_process_notification is the GATT handler for processing notification/indication messages. gatt_process_notification does memcpy to stack from the input bt msg data, without size validation. The input len param isn't validated in this func either - if the remaining len following op_code is less than 2, a negative value will be used for the data copy to stack. | ||
These were fixed by adding a bounds check for the size, size==0 is also checked for now. | These were fixed by adding a bounds check for the size, size==0 is also checked for now. | ||