Zepp-Hanzj opened a new pull request, #18998:
URL: https://github.com/apache/nuttx/pull/18998
## Description
Fix out-of-bounds read and write in caused by missing validation before .
Fixes #18515.
### Problem
copies bytes from the request payload into the fixed-size buffer (4096
bytes) without validating that:
1. The full request header is present ()
2. The payload fits the received data ()
3. The payload fits the destination buffer ()
A crafted ioctl request with an inflated triggers:
- **OOB read** — reads past the end of the received request, potentially
disclosing adjacent memory.
- **OOB write** — writes past the end of , corrupting adjacent fields in .
### Solution
Add three validation checks before the , consistent with the buffer-size
check already performed by the handler in the same file (line 892):
Also replace the raw in the call with the validated for consistency.
### Verification
✅ **Checkpatch**: ✔️ All checks pass. — All checks pass
✅ **Code Review**: Three checks match the pattern used in at line 892
✅ **Consistency**: also uses the validated
### References
- Issue: #18515
### Signed-off-by
hanzj <[email protected]>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
