| WriteHidData/SetHidReport copies the input struct to stack, then passes it to the funcptr/vfunc call. WriteHidData2 passes the input buffer addr directly to the funcptr/vfunc call. The called func eventually copies the input data to the stack struct using the specified size without validating it.
+
This requires access to the btdrv service, only hid and btm have access.
+
+
This was fixed with [[12.1.0]] in WriteHidData/SetHidReport by doing a fixed-size copy into another tmp struct, with the size field being clamped to a maximum of 0x2BB afterwards. This struct is then used when calling the vfunc. The vfuncs called by WriteHidData/WriteHidData2/SetHidReport were also updated to clamp the size to the required maximum value.
+
| Stack buffer overflow
+
| [[12.1.0]]
+
| [[12.1.0]]
+
| July 16, 2020
+
| July 6, 2021
+
| [[User:Yellows8|yellows8]]
|-
|-
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets
| [[Bluetooth_Driver_services|bluetooth]] stack buffer overflow with HID DATA packets