Changes

Jump to navigation Jump to search

Switch System Flaws (view source)

Revision as of 21:06, 29 November 2022

1,034 bytes added ,  21:06, 29 November 2022
→‎Pia
Line 1,124: Line 1,124:  
|  
 
|  
 
|  
 
|  
 +
|-
 +
| nn::pia::transport::UnreliableProtocol::Dispatch buffer overflow
 +
| <code>nn::pia::transport::UnreliableProtocol::Dispatch</code> memcpys data from the message into a list entry, without size validation. If the pia packet is the max size, it will only overwrite the 0xC-bytes which were written to immediately before the memcpy: the u32 size and the 8-byte StationAddress (depending on the version there can also be 4-byte padding after the size for alignment).
 +
However, nn::pia::transport::UnreliableProtocol::Receive will clamp the size from the list entry to the outbuf size when doing the memcpy. So this is probably useless.
 +
 +
It's unknown whether there's a version where more data could be overwritten, and whether that would be useful.
 +
 +
This is fixed in v5.31.0, exact version unknown. The message is dropped if too large in Dispatch.
 +
| Small buffer overflow triggered by a Pia UnreliableProtocol message.
 +
| v5.31.0, exact version unknown.
 +
| v5.18.98/v5.31.0
 +
| November 2022
 +
| November 29, 2022
 +
| [[User:Yellows8|yellows8]]
 
|}
 
|}
  
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/12059"

Navigation menu