888
edits
Changes
Jump to navigation
Jump to search
Line 304:
Line 304: + + + + + + + + + + + + + + + + + + + + + + + + + + +
Switch System Flaws (view source)
Revision as of 07:09, 19 September 2018
, 07:09, 19 September 2018→FIRM-package System Modules: rip
| April 23, 2018
| April 23, 2018
| Everyone
| Everyone
|-
| Single null-byte stack overflow in Loader ContentPath parsing
| Previously, loader content path parsing looked like this, where path_from_lr was up to 0x300 bytes and not necessarily null-terminated:
char nca_path[0x300] = {0};
strcat(nca_path, path_from_lr);
for (int i = 0; nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}
Thus, a content path of the maximum length (0x300 bytes) would result in strcat writing a NULL terminator past the end of the nca_path buffer.
This was fixed in [[6.0.0]], the new code looks like this:
char nca_path[0x300];
strncpy(nca_path, path_from_lr, sizeof(nca_path));
for (int i = 0; i < sizeof(nca_path) && nca_path[i]; i++) {
if (nca_path[i] == '\\') { nca_path[i] = '/'); }
}
| With access to "lr": single null-byte stack overflow in Loader. Maybe (but probably not) loader code execution.
| [[6.0.0]]
| [[6.0.0]]
| September 2, 2018
| September 19, 2018
| SciresM
|-
|-
|}
|}