Switch System Flaws: Difference between revisions
Kernel GetLastThreadInfo: There was no such flaw. Textbox too small to fit, see: https://gist.github.com/TuxSH/242416cff54a95c3ffe5aab41206177e |
|||
Line 304: | Line 304: | ||
| April 23, 2018 | | April 23, 2018 | ||
| Everyone | | Everyone | ||
|- | |||
| Single null-byte stack overflow in Loader ContentPath parsing | |||
| Previously, loader content path parsing looked like this, where path_from_lr was up to 0x300 bytes and not necessarily null-terminated: | |||
char nca_path[0x300] = {0}; | |||
strcat(nca_path, path_from_lr); | |||
for (int i = 0; nca_path[i]; i++) { | |||
if (nca_path[i] == '\\') { nca_path[i] = '/'); } | |||
} | |||
Thus, a content path of the maximum length (0x300 bytes) would result in strcat writing a NULL terminator past the end of the nca_path buffer. | |||
This was fixed in [[6.0.0]], the new code looks like this: | |||
char nca_path[0x300]; | |||
strncpy(nca_path, path_from_lr, sizeof(nca_path)); | |||
for (int i = 0; i < sizeof(nca_path) && nca_path[i]; i++) { | |||
if (nca_path[i] == '\\') { nca_path[i] = '/'); } | |||
} | |||
| With access to "lr": single null-byte stack overflow in Loader. Maybe (but probably not) loader code execution. | |||
| [[6.0.0]] | |||
| [[6.0.0]] | |||
| September 2, 2018 | |||
| September 19, 2018 | |||
| SciresM | |||
|- | |- | ||
|} | |} |